https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211549#M41638 <P>Hi locose,</P> <P>looks like the regex does not match your example events; this regex will match:</P> <PRE><CODE> [SsNn_]+.+?['\s]+\d+' </CODE></PRE> <P>tested and working on <A href="https://regex101.com">https://regex101.com</A> . So your <CODE>props.conf</CODE> should look like this:</P> <PRE><CODE>[my_source_type] SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx/g </CODE></PRE> <P>Place this on the Splunk instance where the parsing happens <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings</A> and restart Splunk; it will also only be applied to new events.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 02 Nov 2015 19:32:17 GMT MuS 2015-11-02T19:32:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211548#M41637 <P>I'm trying to mask SSN using the SEDCMD command, but it isn't working. </P> <P>My search:</P> <PRE><CODE>sourcetype = my_source_type *SSN </CODE></PRE> <P>returns</P> <PRE><CODE>'Call_SSN' '123456789' 'Ssn_bla' '987654321' 'bla_SSN' '123456789' </CODE></PRE> <P>I updated the system/local/props.conf</P> <PRE><CODE>[my_source_type] SEDCMD-ssncall = s/=\d{5}(\d{4})/*SSN xxxxx\1/g </CODE></PRE> <P>But it's not masking it. </P> Mon, 02 Nov 2015 19:12:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211548#M41637 locose 2015-11-02T19:12:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211549#M41638 <P>Hi locose,</P> <P>looks like the regex does not match your example events; this regex will match:</P> <PRE><CODE> [SsNn_]+.+?['\s]+\d+' </CODE></PRE> <P>tested and working on <A href="https://regex101.com">https://regex101.com</A> . So your <CODE>props.conf</CODE> should look like this:</P> <PRE><CODE>[my_source_type] SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx/g </CODE></PRE> <P>Place this on the Splunk instance where the parsing happens <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings</A> and restart Splunk; it will also only be applied to new events.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 02 Nov 2015 19:32:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211549#M41638 MuS 2015-11-02T19:32:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211550#M41639 <P>Hello MuS</P> <P>unfortunately that didn't work</P> Mon, 02 Nov 2015 20:13:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211550#M41639 locose 2015-11-02T20:13:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211551#M41640 <P>Can you tell what you did?</P> Mon, 02 Nov 2015 20:43:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211551#M41640 MuS 2015-11-02T20:43:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211552#M41641 <P>So my serach query is still </P> <P>sourcetype = my_source_type SSN</P> <P>I'm still getting</P> <P>SsN_ENA<BR /> Call_SSN<BR /> BLA_sSN</P> <P>in the search results</P> <P>In the system/local/props.conf </P> <PRE><CODE> [my_source_type] SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx\1/g </CODE></PRE> Tue, 29 Sep 2020 07:47:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211552#M41641 locose 2020-09-29T07:47:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211553#M41642 <P>take this run everywhere search which works:</P> <PRE><CODE>| gentimes start=-1 | eval foo="'Call_SSN' '123456789' 'Ssn_bla' '987654321' 'bla_SSN' '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx/g" </CODE></PRE> <P>my provided SEDCMD will only replace the values NOT the fields.</P> Mon, 02 Nov 2015 21:10:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211553#M41642 MuS 2015-11-02T21:10:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211554#M41643 <P>If you are using <CODE>INDEXED_EXTRACTIONS</CODE> to create those fields, then they are created at Index-Time in the time parsing portion of the pipeline that executes before the SEDCMD is executed. If you get SEDCMD working what should happen is that field <CODE>_raw</CODE> <EM>will</EM> be modified, but the <CODE>INDEXED_EXTRACTIONS</CODE> fields will still contain the pre-mod text.</P> Tue, 03 Nov 2015 00:04:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211554#M41643 woodcock 2015-11-03T00:04:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211555#M41644 <P>This is way I told this before <span class="lia-unicode-emoji" title=":winking_face:">😉</span> -&gt; </P> <BLOCKQUOTE> <P>Place this on the Splunk instance where the parsing happens<BR /> <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings</A></P> </BLOCKQUOTE> Tue, 03 Nov 2015 00:16:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-SSN-at-index-time-using-SEDCMD-in-props-conf/m-p/211555#M41644 MuS 2015-11-03T00:16:57Z