Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you mask data at index-time conditionally?

twinspop
Influencer
‎01-19-2016 09:52 AM

Given data like this:

v1=1 v2=2 v3=3.45 v4=4 key=bad
v1=6 v2=7 v3=8.45 key=good v4=9

I want to mask the vX values in the case of key=bad only. I cannot guarantee order. Results should be:

v1=x.xx v2=x.xx v3=x.xx v4=x.xx key=bad
v1=6 v2=7 v3=8.45 key=good v4=9

Is this possible?

Reply

alemarzu
Motivator
‎01-19-2016 11:15 AM

Hi twinspop,

Try to follow this example using your sample data.

01/19/2016 11:34 v1=1 v2=2 v3=3.45 v4=4 key=bad
01/19/2016 11:22 v1=6 v2=7 v3=8.45 key=good v4=9

With the given SEDCMD regex below, using Positives Lookbehind/Lookahead.

[your_sourcetype]
SEDCMD = s/(?<=v1=).*(?=\sv2=.*?\skey=bad)/X.XX/g s/(?<=v2=).*(?=\sv3=.*?\sv4=.*?\skey=bad)/X.XX/g s/(?<=v3=).*(?=\sv4=.*?\skey=bad)/X.XX/g s/(?<=v4=)\d(?=\skey=bad)/X.XX/g

Hope it helps.

0 Karma
Reply

twinspop
Influencer
‎01-19-2016 03:22 PM

This might lead to the correct way, but the field names (aside from key) are variable. I should have included that tidbit. 🙂 Reading up on PLBs and PLAs. Thanks!

0 Karma
Reply

twinspop
Influencer
‎01-19-2016 03:53 PM

I'm not able to make this work because the fields that need masking occur an arbitrary number of times. Roughly speaking what I need is:

if (/key=bad/)
    s/v(\d+)=\d+\.\d{2}/v\1=x.xx/g

(this will teach me to use better sample data -- sorry)

0 Karma
Reply

alemarzu
Motivator
‎01-20-2016 12:57 PM

It's okey mate, dont worry about it.

Check this out, based on your sample data again, this regex should match (n) amount of fields.

s/(?<==)(\d+\.\d{1,}+|\d+)(?=.*?key=bad)/X.XX/g

EDIT: regex101 example, https://regex101.com/r/uM9nW8/1

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...