Getting Data In

How can I mask email id's when indexing?

ansif
Motivator

Hi All,

I want to mask email id from Message tracking logs,but it mask the whole event.Could you pelase help me in masking only emailid's and no other data from the event.

transforms.conf

[emailaddr-anonymizer]
REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})
FORMAT = ********@*********
DEST_KEY = _raw

props.conf

[<given_source_type>]

TRANSFORMS-anonymize = emailaddr-anonymizer

Sample log

gotsomething,somename@something.com,junk files for,somename@somedomain.com,this is a test log with some emails,myname@mydomain.net,

Expected output:

gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

Thanks

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

0 Karma

ansif
Motivator

Thanks Giuseppe, but the above thing is not working as expected output

Expected output is as follows:

 gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

But I am getting:

,********@*********,

And one more thing,the logs might have email id's without a comma like:

gotsomething,somename@something.com,junk files for,somename@somedomain.com,this is a test log with some emails,myname@mydomain.net,addedmail@domain.net

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ansif,
did yu seen https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ?
using a sed script in props.conf

[given_source_type]
SEDCMD-emails = s/,[^@]*@[^,]*,/,********@*********,/g

or using transforms.conf

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = $1,********@*********,$2
DEST_KEY = _raw

Bye.
Giuseppe

0 Karma

ansif
Motivator

Working fine with below:

 [MSExchange:2013:MessageTracking]
    SEDCMD-emails = s/,?([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63},?)/,********@*********,/g

@Giuseppe :: Please let me know how can I include domain name.

0 Karma

ansif
Motivator

It is resolved:

Tried below code:

[MSExchange:2013:MessageTracking]
SEDCMD-emails = s/,?([A-z0-9._%+-]+@,?)/,********@/g
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...