splunk masking the entire event instead of regex m...

iamlearner123 · ‎04-29-2019

Hello,

I am learning splunk. I have written a transforms to mask the email ID's however, the splunk is masking the entire event instead of matched pattern. what i am trying to achieve is to mask the email ID's in the events. For example, if there are two email ID's, splunk has to mask the 2 email ID's and if there is one email ID, splunk has to mask only one email ID. Any help would be appreciated.

Sample Events:

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  peter.parker@abc.com,thomas.holland03@abc.com 

(14.2) 04-01-18 04:14:38 (5796:5968)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  henry.pete@abc.com,grant.subarao@abc.com

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  hr.apache@abc.com

Transforms

REGEX = [A-z0-9._%+-]+(?=@[^,\s]*)
FORMAT = $1 ******@$3
DEST_KEY = _raw

Expected output:

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  XXXXXXXXXXX,XXXXXXXXX

adonio · ‎04-29-2019

many answers here that match your question

i found this to be the closest as it has similar comma separated emails
https://answers.splunk.com/answers/592623/how-can-i-mask-email-ids-when-indexing.html

hope it helps

splunk masking the entire event instead of regex matching

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...