topic Re: Trying to Anonymise data using SED command in Getting Data In

Trying to Anonymise data using SED command

Venkat_16 — Tue, 29 Sep 2020 17:43:48 GMT

I have been trying out to Anonymise below logs using SED function,but its not wokring, Please find the use case below:

Input:

10.192.1.46 - - [30/Jul/2014:23:59:15] "POST /flower_store/order.do HTTP/1.1" 200 13849 "http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=SD5SL10FF8ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 1463 2971

Output:

10.192.1.46 - - [30/Jul/2014:23:59:15] "POST /flower_store/order.do HTTP/1.1" 200 13849 "http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=#####10FF8ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 1463 2971

Have deployed the below configuration in Indexer as using Sed command:

sourcetype is testing.

props.conf

[testing]
SEDCMD-testing = s/JSESSIONID=\w{2}\d\w{2}\d{2}\w{2}/JSESSIONID=#####\1/g

Re: Trying to Anonymise data using SED command

horsefez — Tue, 16 Jan 2018 13:46:37 GMT

Hi,

you were missing a capture group

take this regex:
s/JSESSIONID=\w{2}\d\w{2}(\d{2}\w{2})/JSESSIONID=#####\1/g

Re: Trying to Anonymise data using SED command

493669 — Tue, 16 Jan 2018 13:52:40 GMT

Can you try below:

[testing]
SEDCMD-testing = s/JSESSIONID=\w{2}\d\w{2}(\d{2}\w{2})/JSESSIONID=#####\1/g

Re: Trying to Anonymise data using SED command

mayurr98 — Tue, 16 Jan 2018 14:00:38 GMT

hey try this run anywhere search

| makeresults | eval raw="10.192.1.46 - - [30/Jul/2014:23:59:15] \"POST /flower_store/order.do HTTP/1.1\" 200 13849 \"http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=SD5SL10FF8ADFF3\" \"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10\" 1463 2971" | rex field=raw mode=sed "s/JSESSIONID=(\w{2}\d\w{2})/JSESSIONID=#####/g"

Ideally in your environment you should wirte

[testing]
SEDCMD-testing = s/JSESSIONID=(\w{2}\d\w{2})/JSESSIONID=#####/g

let me know if this helps !

Re: Trying to Anonymise data using SED command

Venkat_16 — Tue, 16 Jan 2018 14:04:08 GMT

I guess all your answers helped me thanks alot for that...i liked this one beucase it helped us learn a new command....make results...thanks aton

Re: Trying to Anonymise data using SED command

Venkat_16 — Tue, 16 Jan 2018 14:04:22 GMT

Thanks alot it works!

Re: Trying to Anonymise data using SED command

Venkat_16 — Tue, 16 Jan 2018 14:04:35 GMT

Thanks a lot for your help!