Obfuscation rules let you mask sensitive data before the agent transmits it to New Relic. Each rule is a regex pattern paired with a replacement string. The agent applies rules in order to every string attribute value in every outgoing event — including QoE events and crash-recovered events.
iOS
Configuration
Objective-C
NRVAVideoConfiguration *config = [[[[NRVAVideoConfiguration builder] withApplicationToken:@"YOUR_NEW_RELIC_TOKEN"] withObfuscationRules:@[ @{ @"regex": @"account-\\d+", @"replacement": @"ACCOUNT_ID" }, @{ @"regex": @"token=[^&\"]+", @"replacement": @"token=REDACTED" }, ]] build];[[[NRVAVideo newBuilder] withConfiguration:config] build];Swift
let config = NRVAVideoConfiguration.builder() .withApplicationToken("YOUR_NEW_RELIC_TOKEN") .withObfuscationRules([ ["regex": "account-\\d+", "replacement": "ACCOUNT_ID"], ["regex": "token=[^&\"]+", "replacement": "token=REDACTED"], ]) .build()NRVAVideo.newBuilder().with(configuration: config).build()How it works
- The agent applies rules per string attribute value, not to the raw JSON payload — numeric and boolean attributes aren't affected.
- All rules run against every outgoing event, including regular, live, QoE, and crash-recovered events.
- Rules run in the order you declare them. If two rules can match the same value, order matters.
- The agent never obfuscates the
applicationTokenor HTTP auth headers — obfuscation only applies to event attribute values.
Edge cases
| Scenario | Behavior |
|---|---|
| No rules configured | The agent passes all attribute values through unchanged with no performance impact. |
| Empty replacement string | The agent removes the matched content from the value. |
| Invalid regex pattern | withObfuscationRules: throws NSInvalidArgumentException at configuration time, before any events are sent. |
| Non-string attribute value | The agent skips the attribute. Only string values are processed. |
| Malformed rules array entry | The agent skips any entry that isn't a dictionary and writes a warning to the log. |
applicationToken and HTTP auth headers | These are never included in event attributes and aren't affected by obfuscation rules. |
| Rule ordering | Rules run in the order they're declared in the array. |
| Catastrophic backtracking | NSRegularExpression has no built-in timeout on iOS. Avoid patterns with unbounded nested quantifiers (for example, (a+)+). Test rules against worst-case inputs before deploying. |
Roku
You can configure the agent with regex-based obfuscation rules to mask sensitive data before the agent sends events to New Relic. Use this feature when fields like contentSrc, contentTitle, origUrl, or custom attributes may inadvertently contain user IDs, tokens, or other PII.
The agent applies rules to every string attribute in every outgoing event — including video, ad (RAF and IMA), QOE, system, and custom events — before the event enters the internal buffer.
Configuration
Call nrSetObfuscationRules after you create the agent. Each rule is an associative array with a regex string and a replacement string:
m.nr = NewRelic("ACCOUNT_ID", "API_KEY", "APP_NAME", "APP_TOKEN")nrSetObfuscationRules(m.nr, [ { regex: "account-[0-9]+", replacement: "ACCOUNT_ID" }, { regex: "token=[^&]+", replacement: "token=REDACTED" }, { regex: "/users/[^/]+", replacement: "/users/USER_ID" }])To remove all rules at runtime, call nrSetObfuscationRules with an empty array:
nrSetObfuscationRules(m.nr, [])Rule ordering
The agent applies rules in the order they appear in the array. The output of one rule becomes the input to the next. Order matters when patterns could overlap:
nrSetObfuscationRules(m.nr, [ ' Applied first — masks the specific token format { regex: "auth-token-[a-z0-9]+", replacement: "AUTH_TOKEN" }, ' Applied second — masks any remaining bare token references { regex: "token=[^&]+", replacement: "token=REDACTED" }])Behavior and edge cases
| Case | Behavior |
|---|---|
| No rules configured | The agent passes all attribute values through unchanged with no performance impact. |
Empty replacement string | The agent removes the matched content from the value. |
| Invalid regex pattern | The agent skips the rule and writes a warning to the log. |
| Non-string attribute values | The agent passes these through unchanged. Only string values are processed. |
| Replacing all rules | Call nrSetObfuscationRules again with the new array. The agent discards all previous rules. |
중요
Roku uses roRegex for pattern matching. Roku doesn't support complex lookahead/lookbehind assertions. Patterns that are valid in JavaScript or Java regex may need to be simplified for Roku.