Solved: Re: How can I mask email id's when indexing?

ansif · ‎11-20-2017

Hi All,

I want to mask email id from Message tracking logs,but it mask the whole event.Could you pelase help me in masking only emailid's and no other data from the event.

transforms.conf

[emailaddr-anonymizer]
REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})
FORMAT = ********@*********
DEST_KEY = _raw

props.conf

[<given_source_type>]

TRANSFORMS-anonymize = emailaddr-anonymizer

Sample log

gotsomething,somename@something.com,junk files for,somename@somedomain.com,this is a test log with some emails,myname@mydomain.net,

Expected output:

gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

Thanks

gcusello · ‎11-20-2017

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

View solution in original post

gcusello · ‎11-20-2017

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

ansif · ‎11-20-2017

Thanks Giuseppe, but the above thing is not working as expected output

Expected output is as follows:

 gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

But I am getting:

,********@*********,

And one more thing,the logs might have email id's without a comma like:

gotsomething,somename@something.com,junk files for,somename@somedomain.com,this is a test log with some emails,myname@mydomain.net,addedmail@domain.net

gcusello · ‎11-20-2017

Hi ansif,
did yu seen https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ?
using a sed script in props.conf

[given_source_type]
SEDCMD-emails = s/,[^@]*@[^,]*,/,********@*********,/g

or using transforms.conf

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = $1,********@*********,$2
DEST_KEY = _raw

Bye.
Giuseppe

ansif · ‎11-20-2017

Working fine with below:

 [MSExchange:2013:MessageTracking]
    SEDCMD-emails = s/,?([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63},?)/,********@*********,/g

@Giuseppe :: Please let me know how can I include domain name.

ansif · ‎11-20-2017

It is resolved:

Tried below code:

[MSExchange:2013:MessageTracking]
SEDCMD-emails = s/,?([A-z0-9._%+-]+@,?)/,********@/g

How can I mask email id's when indexing?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How can I mask email id's when indexing?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I