Description
The Mask Function masks, or replaces, patterns in events. This is especially useful for redacting PII (personally identifiable information) and other sensitive data.
Usage
Filter: Filter expression (JS) that selects data to be fed through the Function. Defaults to true
, meaning that all events will be evaluated.
Description: Simple description about this Function. Defaults to empty.
Final: If true, stops data from being fed to the downstream Functions. Defaults to No
.
Masking rules: Match Regex and Replace Expression pairs. Defaults to empty. Each row has the following fields:
- Match regex: Pattern to replace. Supports capture groups. Use
/g
to replace all matches, e.g.:/foo(bar)/g
- Replace expression: A JavaScript expression or literal to replace all matching content.
To add more rows, click + Add Rule .
Apply to fields: Fields on which to apply the masking rules. Defaults to _raw
. Add more fields by typing in their names, separated by hard returns. Supports wildcards (*
) and nested addressing.
Negated terms are also supported. When you negate field names, the fields list is order-sensitive. E.g.,Â
!foobar
beforefoo*
means "Apply to all fields that start withfoo
, exceptfoobar
." However,!foo*
before*
means "Apply to all fields, except for those that start withfoo
."
Advanced Settings
Evaluate fields: Optionally, specify fields to add to events in which one or more of the Masking Rules were matched. These fields can be useful in downstream processing and reporting. You specify the fields as keyâvalue expression pairs, like those in the Eval Function.
- Name: Field name.
- Value Expression: JavaScript expression to compute the value (can be a constant).
Evaluating the Replace Expression
The Replace expression field accepts a full JS expression that evaluates to a value, so you're not necessarily limited to what's under C.Mask
. For example, you can do conditional replacement: g1%2==1 ? `fieldA="odd"` : `fieldA="even"`
The Replace expression can reference other event fields as event.<fieldName>
. For example, `${g1}${event.source}`
. Note that this is slightly different from other expression inputs, where event fields are referenced without event.
Here, we require the event.
prefix for the following reasons:
- We don't expect this to be a common case.
- Expanding the event in the replace context would have a high performance hit on the common path.
- There is a slight chance that there might be a
gN
field in the event.
Examples
Example 1: Transform a String
Here, we'll simply search for the string dfhgdfgj
, and replace that value (if found) with Trans AM
. This will help close Americaâs muscle-car gap:


Event before masking
Configure the Mask Function > Masking Rules as follows:
Match Regex: dfhgdfgj
Replace Expression: Trans AM


Mask Function configuration
Result: Vroom vroom!


Event after masking
Example 2: Mask Sensitive Data
Assume that you're ingesting data whose _raw
fields contain unredacted Social Security numbers in the Key=Value pattern social=#########
.


Event with unredacted SSNs
You can use a Mask Function to run an md5 hash of the social
keys' numeric values, replacing the original values with the hashed values. Configure the Masking Rules as follows:
Match Regex: (social=)(\d+)
Replace Expression: `${g1}${C.Mask.md5(g2)}`
In the first example everything in the Match regex field was replaced by the Replace Expression. However if that isn't desired then you can use capture groups in the Match Regex to define individual string components for manipulation or, alternatively, use string literals in the Replace expression for retaining any static text. Any content matching the Match Regex that is not inserted into the Replace expression will not be retained.
In this example, social=
is assigned to capture group g1 for later reference. The value of social=
will be hashed by referencing it as g2 in the md5 function. If we didn't make social=
its own capture group (or specified social=
as a literal in the Replace Expression) then we cannot reference it using g1 in the Replace expression, the value of social=
would instead be assigned to g1, and the entire social=#########
string would be replaced with a hash of the social security number, which probably isn't desired because no one would know the value being hashed without a field name preceding it.


Mask Function configuration
Result: The sensitive values are replaced by their md5 hashes.


Event with hashed SSNs
In scenarios where you need to send unmodified values to certain Destinations (such as archival stores), you can narrow the Mask Function's scope by setting the associated Route's Output field.
For further masking examples, see Masking and Obfuscation.
Updated about a month ago