hey premranjithj
if you want to mask anything after Id: with Id: XXXX
then use below query
| rex field=_raw mode=sed "s/Id:\s((\d+-\d+)|(\d+))/Id: XXXX/g"
If you want to mask : ASEEM7593 with : XXXX
| rex field=raw mode=sed "s/:\s[A-Z]+\d+/: XXXX/g"
If you want to mask value 377593df332 with value XXXX
| rex field=raw mode=sed "s/\w+$/XXXX/g"
If you want to mask P58U0040 with P58UXXXX
| rex field=raw mode=sed "s/P58U\d{4}/P58UXXXX/g"
If you want to mask any email in the data then use
| rex field=raw mode=sed "s/((\w[\w\-\.]+@\w+.com))(.*)/XXXX/g"
If you want to mask any email except your domain suppose gmail
| rex field=raw mode=sed "s/[A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63}(?<!@gmail.com)(?:[^A-z]|$)/XXXX/g"
Let me know if this helps you!
