https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310927#M21361 <P>Hi Prakhar_shukla,<BR /> do you want to mask your AcctlID in the data before indexing ?<BR /> in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command</P> <PRE><CODE>[your_sourcetype] SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 05 Apr 2017 11:35:57 GMT gcusello 2017-04-05T11:35:57Z https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310925#M21359 <P>this is the log file</P> <P>bash-4.2$ more mask.log .( static log file for testing. added it via input file monitoring from web for index idx1)<BR /> 123456789123456789<BR /> [05/Apr/2017:00:02:48:21] VendorID=9112 Code=B1 AcctID=4902343983<BR /> [05/Apr/2017:00:03:48:21] VendorID=9113 Code=B2 AcctID=4902343983</P> <P>here is my props.conf in /local/</P> <P>bash-4.2$ more props.conf<BR /> [mask.log]<BR /> SEDCMD-1acct = s/AcctID=...../AcctID=XXXXX/g</P> <P>when i am searching for the index, i am getting unmasked log file, masking is just not working</P> <P>please help out.</P> Wed, 05 Apr 2017 11:13:05 GMT https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310925#M21359 Prakhar_shukla 2017-04-05T11:13:05Z https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310926#M21360 <P>here i am trying to mask 1st 5 number from AcctID. mask.log file is in /tmp/ fold.</P> Wed, 05 Apr 2017 11:28:46 GMT https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310926#M21360 Prakhar_shukla 2017-04-05T11:28:46Z https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310927#M21361 <P>Hi Prakhar_shukla,<BR /> do you want to mask your AcctlID in the data before indexing ?<BR /> in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command</P> <PRE><CODE>[your_sourcetype] SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 05 Apr 2017 11:35:57 GMT https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310927#M21361 gcusello 2017-04-05T11:35:57Z https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310928#M21362 <P>Your configuration is correct to mask the first 4 digits and you can see this like this:</P> <PRE><CODE>|makeresults | eval raw="VendorID=9112 Code=B1 AcctID=4902343983" | rename raw AS _raw | rex mode=sed "s/AcctID=...../AcctID=XXXXX/g" </CODE></PRE> <P>You need to deploy this to <CODE>props.conf</CODE> but first fix your stanza header. I doubt that your <CODE>sourctype</CODE> is <CODE>mask.log</CODE> Check your <CODE>inputs.conf</CODE> and find out what you set <CODE>sourcetype</CODE> to and use that or, if you need to use <CODE>source</CODE>, then use this:</P> <PRE><CODE>[source::mask.log] </CODE></PRE> <P>Deploy to your Indexers (or HFs), restart splunk there and verify on NEW events (old events will stay broken).</P> Wed, 05 Apr 2017 14:01:23 GMT https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310928#M21362 woodcock 2017-04-05T14:01:23Z https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310929#M21363 <P>Did you try this? Did it work?</P> Wed, 05 Apr 2017 18:36:47 GMT https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310929#M21363 woodcock 2017-04-05T18:36:47Z https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310930#M21364 <P>thanks cusello, woodcock. yes it worked after replacing source with sourcetype.</P> Thu, 06 Apr 2017 03:45:42 GMT https://community.splunk.com/t5/Deployment-Architecture/data-masking-not-working/m-p/310930#M21364 Prakhar_shukla 2017-04-06T03:45:42Z