I'm trying to mask multiple fields from the raw results. Only one of the fields ends up masked in the raw. It seems I need to either do one statement that gets them all or something else. I've experimented with using a pattern with pipes and also naming the EVAL-_raw differently like EVAL-_raw1 = and EVAL-raw2 = but have not found a winning combination. If I only try to mask one value I have no issue, so I believe it has to do with me trying doing the replace on more than one _raw string at once. I'm really hoping there is an answer other than deleting logs out. Any assistance is appreciated. These events are already indexed and I just want to mask the sensitive data at search time via props.conf on SH.
[wineventlog]
##DOB mask
EXTRACT-DOB = \<DateOfBirth\>(?<DateOfBirth>[^\<]+)\<\/DateOfBirth\>
EVAL-DOB = if(isnull(DateOfBirth),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<DateOfBirth\>(?<DateOfBirth>[^\<]+)\<\/DateOfBirth\>","<DateOfBirth>##masked##</DateOfBirth>")
##SSN mask
EXTRACT-SSN = \<SSN\>(?<SSN>[^\<]+)\<\/SSN\>
EVAL-SSN = if(isnull(SSN),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<SSN\>[^\<]+\<\/SSN\>","<SSN>##masked##</SSN>")
##LicenseNumber mask
EXTRACT-LicenseNumber = \<LicenseNumber\>(?<LicenseNumber>[^\<]+)\<\/LicenseNumber\>
EVAL-LicenseNumber = if(isnull(LicenseNumber),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<LicenseNumber\>[^\<]+\<\/LicenseNumber\>","<LicenseNumber>##masked##</LicenseNumber>")
##VIN mask
EXTRACT-VIN = \<VIN\>(?<VIN>[^\<]+)\<\/VIN\>
EVAL-VIN = if(isnull(VIN),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<VIN\>[^\<]+\<\/VIN\>","<VIN>##masked##</VIN>")
... View more