This page explains how to use the redact operator in APL.
redact
operator in APL replaces sensitive or unwanted data in string fields using regular expressions. You can use it to sanitize log data, obfuscate personal information, or anonymize text for auditing or analysis. The operator allows you to define one or multiple regular expressions to identify and replace matching patterns. You can customize the replacement token, generate hashes of redacted values, or retain structural elements while obfuscating specific segments of data.
This operator is useful when you need to ensure data privacy or compliance with regulations such as GDPR or HIPAA. For example, you can redact credit card numbers, email addresses, or personally identifiable information from logs and datasets.
Splunk SPL users
redact
operator in APL simplifies this process by directly applying regular expressions and offering options for replacement or hashing.ANSI SQL users
REPLACE
or REGEXP_REPLACE
for data obfuscation. APL’s redact
operator consolidates these capabilities into a single, flexible command.Parameter | Type | Description |
---|---|---|
replaceToken | string | The string with which to replace matches. If you specify a single character, Axiom replaces each character in the matching text with replaceToken . If you specify more than one character, Axiom replaces the whole of the matching text with replaceToken . The default replaceToken is the * character. |
replaceHash | bool | Specifies whether to replace matches with a hash of the data. You cannot use both replaceToken and replaceHash in the same query. |
redactGroups | bool | Specifies whether to look for capturing groups in the regex and only redact characters in the capturing groups. Use this option for partial replacements or replacements that maintain the structure of the data. The default is false. |
regex | regex | A single regex or an array/map of regexes to match against field values. |
on Field | Limits redaction to specific fields. If you omit this parameter, Axiom redacts all string fields in the dataset. |
Operation | Sample regex | Original string | Redacted string |
---|---|---|---|
Redact email addresses | [a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+ | Incoming Mail - abc@test.com | Incoming Mail - ************ |
Redact social security numbers | \d-\d-\d | SSN 123-12-1234.pdf | SSN ***********.pdf |
Redact IBAN | [A-Z][0-9](?:[ ]?[0-9])(?!(?:[ ]?[0-9]))(?:[ ]?[0-9])? | AB12 1234 1234 1234 1234 | ************************ |
redact
operator to sanitize HTTP logs by obfuscating geographical data.Query_time | geo.city | geo.country |
---|---|---|
2025-01-01 12:00:00 | xxx | xxxxxxxx |
2025-01-01 12:05:00 | xxxxxx | xxxxxxxxxx |
.*
with the character x
in the geo.city
and geo.country
fields.redact
provides a simpler, security-focused interface. Use redact
if you’re primarily focused on data privacy and compliance, and replace_regex
if you need more control over the replacement text format.