This is a simple trick to mask data at search time. Get the part of the event to mask with a "rex" command, then modify the "_raw" field with the masked data.
From original event, trim the last 5 digit from accountNumber. Original event:
2016-04-06 12:24:06,Event [Event=UpdateBillingProvQuote, timestamp=1337891259, properties={JMSCorrelationID=NA, JMSMessageID=ID:ESP-PD.F4CB3B4B9EF87:AA49A1BD, orderType=FeatureChange, quotePriority=NORMAL, conversationId=ESB~16214F4A71D1DA77:E35B0544:0F2958EEF3F0:B580, credits=NA, JMSReplyTo=pub.esb.genericasync.response, timeToLive=-1, serviceName=UpdateBillingProvisioning, esn=7F758AD4A3B86F, accountNumber=900013479, MethodName=InternalEvent, AdapterName=UpdateBillingProvQuote, meid=NA, orderNumber=19256698, quoteNumber=75909847, ReplyTo=NA, userName=temordia, EventConversationID=NA, mdn=5789374447, accountType=PrePaid, marketCity="ARVADA", marketState=CO, marketZip=80006, billingCycle=27, autoBillPayment=T, phoneCode=HE4G, phoneType=Android, phoneName="HTC Evo 4G", planCode=ULPRE50, planType=PrePaid, planPrice=50.00, planName="Unlimited Prepaid", planDescription="Nationwide Prepaid Unlimited Minutes", networkProviderName=Splunktel}]
New search:
index=oidemo sourcetype=business_event | rex "^(?<head>.*accountNumber=\d+)\d{5},(?<tail>.*)$" | eval _raw=head."XXXX".tail
The new event now looks like this:
2016-04-06 12:24:06,Event [Event=UpdateBillingProvQuote, timestamp=1337891259, properties={JMSCorrelationID=NA, JMSMessageID=ID:ESP-PD.F4CB3B4B9EF87:AA49A1BD, orderType=FeatureChange, quotePriority=NORMAL, conversationId=ESB~16214F4A71D1DA77:E35B0544:0F2958EEF3F0:B580, credits=NA, JMSReplyTo=pub.esb.genericasync.response, timeToLive=-1, serviceName=UpdateBillingProvisioning, esn=7F758AD4A3B86F, accountNumber=9000XXXX MethodName=InternalEvent, AdapterName=UpdateBillingProvQuote, meid=NA, orderNumber=19256698, quoteNumber=75909847, ReplyTo=NA, userName=temordia, EventConversationID=NA, mdn=5789374447, accountType=PrePaid, marketCity="ARVADA", marketState=CO, marketZip=80006, billingCycle=27, autoBillPayment=T, phoneCode=HE4G, phoneType=Android, phoneName="HTC Evo 4G", planCode=ULPRE50, planType=PrePaid, planPrice=50.00, planName="Unlimited Prepaid", planDescription="Nationwide Prepaid Unlimited Minutes", networkProviderName=Splunktel}]
... View more