Splunk Search

splunk masking the entire event instead of regex matching

iamlearner123
Explorer

Hello,

I am learning splunk. I have written a transforms to mask the email ID's however, the splunk is masking the entire event instead of matched pattern. what i am trying to achieve is to mask the email ID's in the events. For example, if there are two email ID's, splunk has to mask the 2 email ID's and if there is one email ID, splunk has to mask only one email ID. Any help would be appreciated.

Sample Events:

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  peter.parker@abc.com,thomas.holland03@abc.com 

(14.2) 04-01-18 04:14:38 (5796:5968)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  henry.pete@abc.com,grant.subarao@abc.com

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  hr.apache@abc.com

Transforms

REGEX = [A-z0-9._%+-]+(?=@[^,\s]*)
FORMAT = $1 ******@$3
DEST_KEY = _raw

Expected output:

(14.2) 04-01-18 00:03:38 (1944:3676)  PRINTFN: $G_NOTIFY_GRP_INTERNAL:  XXXXXXXXXXX,XXXXXXXXX
0 Karma

adonio
Ultra Champion

many answers here that match your question

i found this to be the closest as it has similar comma separated emails
https://answers.splunk.com/answers/592623/how-can-i-mask-email-ids-when-indexing.html

hope it helps

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...