Splunk Search

splunk masking the entire event instead of regex matching

iamlearner123
Explorer

Hello,

I am learning splunk. I have written a transforms to mask the email ID's however, the splunk is masking the entire event instead of matched pattern. what i am trying to achieve is to mask the email ID's in the events. For example, if there are two email ID's, splunk has to mask the 2 email ID's and if there is one email ID, splunk has to mask only one email ID. Any help would be appreciated.

Sample Events:

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  peter.parker@abc.com,thomas.holland03@abc.com 

(14.2) 04-01-18 04:14:38 (5796:5968)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  henry.pete@abc.com,grant.subarao@abc.com

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  hr.apache@abc.com

Transforms

REGEX = [A-z0-9._%+-]+(?=@[^,\s]*)
FORMAT = $1 ******@$3
DEST_KEY = _raw

Expected output:

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  XXXXXXXXXXX,XXXXXXXXX
0 Karma

adonio
Ultra Champion

many answers here that match your question

i found this to be the closest as it has similar comma separated emails
https://answers.splunk.com/answers/592623/how-can-i-mask-email-ids-when-indexing.html

hope it helps

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...