Mask first 5 digits of SSN in the Watcher alert email


I have configureda watcher to alert an event, when it happens it sends an email with Participant's SSN, Username, Ip address, Geolocation. The below action sends me the records.

But I want to mask the first 5 digits of the SSN and render XXX-XX-0000, something like this. Is there an easy way to do this?

"actions": {
"email_administrator": {
"email": {
"profile": "standard",
"from": "'TA Tech Dev Ops'",
"priority": "high",
"to": [
"'TA Tech Dev Ops'"
"subject": "Test - Email template",
"body": {
"html": "

Test - Email template

Participant SSN {{_source.SOC_SEC_NO}}
Username {{_source.USER_NO}}
IP Address {{_source.REMOTE_IP_I}}
Geo IP location {{_source.geoiplocation}}



If you have inline scripts allowed for your watchers, I'd recommend the following:

Create a transform script in PAINLESS (assuming a modern version of elastic stack) for your email action
The transform script would then reference your Participant SSN as a payload variable
The transform script would seperate the SSN into two groups, with the last4 being captured in a variable.
Return the variable as some string to the watch event already prepared in the desired format (XXX-XX-1234).

Reference that variable in your email template by the requisite name.

I envision your script would be something like

String last4SSN = /.*([0-9]{4})$/.matcher(ctx._source.SOC_SEC_NO).replaceAll('$1'); String maskedSSN = 'XXX-XX-' + last4SSN; return maskedSSN;

Obviously you'll want to play around with that; I don't have anything where I'm doing similar substitution but my idea was a transform to grab the last 4 digits from the SOC_SEC_NO, assign them to RegEx Variable 1, and to assign that as the last4SSN; Then concatenate that with the preceeding XXX-XX- to create a maskedSSN.

Return the variable for use in your email template as a mustache variable.

Use the watcher simulation to test your results, I recommend doing one transform statement at a time to ensure you're able to get it going!

Best of luck!

Hello John,

Thanks for the response. I will give this a try.

I have another issue, where I want to show NA in email alert for the fields that are not available with _source. I have a pre-formatted email template for which the fields that are not available with _source, I have to show that as NA.

I have written a transform script like the one below. Is this the right way to do this? I am getting the below error for this script,

Watcher: An internal server error occurred

"transform": {
"script": {
"source": "for(int j=0;j<ctx.payload.hits.hits;j++){if(ctx.payload.hits.hits[j]._source.containsKey("CASE_NO")) {return ctx.payload.hits.hits[j]._source.CASE_NO} else {return "NA"}}",
"lang": "painless"
  1. Please let me know if transform script is the right way to do this. If yes how can I access the returned value in email alert? If not, how can I achieve this.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.