We have a requirement to search the availability of any sensitive data without masking (like firstName, lastName, eMail etc..) from the kibana/Elasticsearch logs from the field full_message . Usually these details will be populate with masking. But in some scenarios we are getting original data. To get those non masked data we tried to write regular expression in search query. But it's not working as expected.
If full_message contains below patterns we need to avoid those logs from our search result. Pattern 1 :
full_message: "Some data followed by **firstName: *****, lastName and some data " Pattern 2:
full_message: "Some data followed by firstName: null, lastName and some data" Pattern 3:
full_message: "Some data followed by firstName\n lastName\n and some data" Pattern 4:
full_message: "Some data followed by "firstName":"masked","lastName":"masked" and some data"
Please let us know if anyone have some idea on this.
P.S: We tried to use RegEx but not getting the expected results.