I've got a requirement to mask the incoming JSON request inside an array using regular expression on Splunk indexer. The JSON data looks like this:
{"Name":["Jobs","Bill"]}
I'm expected to mask the incoming data so that it looks like this:
{"Name":["******","******"]}
And the regex I'm using to mask the data looks something like this:
s/\"Name\":\"[^"]*\"/"Name":"******"/g
But for some reason I'm unable to mask the JSON data. Could any of you good folks please help?
You can use
s/(?:\G(?!^)\",|\"Name\":\[)\"\K[^\"]*/******/g
To support escaped \", use
s/(?:\G(?!^)\",|\"Name\":\[)\"\K[^\"\\]*(?:\\.[^\"\\]*)*/******/g
See the regex demo #1 and regex demo #2
Details
(?:\G(?!^)\",|\"Name\":\[) - either the end of the previous match and then ", substring, or "Name":[ substring\" - " char\K - match reset operator discarding all text matched so far[^\"]* - any zero or more chars other than ".[^\"\\]*(?:\\.[^\"\\]*)* - any 0+ chars other than " and \ and then zero or more repetitions of a \ followed with any char but a line break char and then any 0+ chars other than \ and ".