topic Re: Why is Anonymize data not working? in Getting Data In

Why is Anonymize data not working?

vengisa — Fri, 01 Apr 2022 18:45:32 GMT

Hello,

i am trying to anonymize data in forwarder using the below:

The data AABC123456789012 needs to be transformed to AABC12XXXXXX9012

The regex seems to be not working.

Any help is appreciated.

Mar 31 13:34:56 10.209.7.69 Mar 31 13:34:56 1234567890_admin yia0WAM 65.92.243.116 eyuiopppp.***.com 123.55.000.88 - AABC123456789012 [31/Mar/2022:13:34:39 -0400] 'GET /me-and-***/***intranetstandards/_assets-responsive/v1/fonts/trtr/rtyruroop-ghjtltutt-webfont.woff HTTP/1.1' 200 29480 erty-tyunht.pg.uhg.com 31/Mar/2022:13:34:39.531 -0400 6163 text/plain; charset=UTF-8 "https://****.yyy.com/assets/hr/css/*******.min.css"

tranforms.conf

[abcbc_isam]
REGEX = 'AABC[0-9]{5,16}'
DEST_KEY = _raw
FORMAT = $1AABC[0-9]{2}XXXXXX[0-9]{4}$2

props.conf

[host::AE110501]
TRANSFORMS-set= abcbc_isam
disabled = false

Re: Anonymize data not working

somesoni2 — Fri, 01 Apr 2022 18:09:10 GMT

Give this a try

[abcbc_isam] REGEX = (AABC)(\d{8})(\d{4}) DEST_KEY = _raw FORMAT = $1XXXXXXXX$3

Re: Anonymize data not working

vengisa — Mon, 04 Apr 2022 13:24:23 GMT

Nope. Still not working..

Re: Why is Anonymize data not working?

PickleRick — Mon, 04 Apr 2022 13:28:39 GMT

Are you trying to do it on Universal Forwarder? It won't work. You have to do it on first "heavy" (based on a full splunk enterprise installation package) component in event's path. If you're sending events from UF's directly to indexers, do it on indexers. If you have an intermediate layer of HF's, do it on HF's.

Re: Why is Anonymize data not working?

venky1544 — Mon, 04 Apr 2022 14:24:16 GMT

Hi @vengisa

you can try the sedcmd in props.conf and dont require in transform but this should go to indexer
SED script works at index time and executed on _raw field. so should be in indexer

first you can test the sedcmd in a rex in a search: to check if masking is working

your search |rex mode=sed field= _raw max_match=0 "s/(AABC)(\d{8})(\d{4})/$1XXXXXX$2/"

if it works

Just write this is in props.conf . you do not need to write transforms.conf.

[websphere_trlog_sysout]

SEDCMD-replace=/(([\d+\-]+) ([\d+:]+))/XXXXXX/

and then restart the server.

Hope this helps

Re: Why is Anonymize data not working?

vengisa — Fri, 08 Apr 2022 16:37:51 GMT

Yes. I am using heavy forwarder -> indexer -> search head

Re: Why is Anonymize data not working?

PickleRick — Fri, 08 Apr 2022 16:50:06 GMT

And you put those props and transforms where?