topic Re: Mask a particular field in csv data at Index time in Getting Data In

Mask a particular field in csv data at Index time

divyanshukakwan — Tue, 29 Sep 2020 17:46:53 GMT

I have a csv data that contains some sensitive information like client ip. Here is how one of the rows of the data looks:

David, London,...several more columns...,192.168.0.1

What I want is to mask the IP replacing it with the string "XXXXXXX" so that it produces, for the above row:

David, London, ...several more columns..., XXXXXXX

Also, this operation needs to be performed at index-time.

I have tried setting up transforms in prop.conf and transform.conf:

[source::data.csv]
TRANSFORMS-masking = pii-mask

[pii-mask]
REGEX = .*
FORMAT = ClientIP::XXXXXX
SOURCE_KEY = ClientIP
DEST_KEY = ClientIP

However, even after doing this, the IP still comes up. Can anybody tell me how to fix this issue?

It seems to me that the fields have not been extracted when the transforms are run. If this is the case, how should I get extraction done before transformation?

Edit:
One of the columns in the data is address. This field can contain arbitrary number of commas, for example: "#221, Baker Street, London, England". So, I can't use a simple regular expression in sed. Instead, what I want to know is how to do transforms on extracted field rather than on the _raw field.

Re: Mask a particular field in csv data at Index time

493669 — Tue, 23 Jan 2018 15:56:39 GMT

Try following simple SED example here: https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_script

transforms.conf -

[ClientIP-anonymizer]
REGEX = (?m)^(.*)ClientIP=\d+\.\d+\.\d+\.\d+(.*)$
FORMAT = $1ClientIP=########$2
DEST_KEY = _raw

props.conf -

[source::data.csv]
TRANSFORMS-anonymize = ClientIP-anonymizer

Hope this helps!

Re: Mask a particular field in csv data at Index time

somesoni2 — Tue, 23 Jan 2018 16:14:57 GMT

Try this (need the serial no at which the field appears on CSV, I'm assuming 15, adjust accordingly)

[source::data.csv]
SEDCMD-masking = s/^(([^\,]+,){14})(\d+\.\d+\.\d+\.\d+)/\1XX.XX.XX.XX/

Re: Mask a particular field in csv data at Index time

divyanshukakwan — Tue, 29 Sep 2020 17:47:21 GMT

Ya, this will work. But, I want to operate on the extracted field rather than on the _raw key. Is there any way I can use an extracted field in my SOURCE_KEY attribute?

Re: Mask a particular field in csv data at Index time

493669 — Wed, 24 Jan 2018 06:36:53 GMT

hey,
if you want to do masking on extracted field while displaying then you can use below spl query:

<base search>| replace * WITH XXXXXX IN ClientIP

Re: Mask a particular field in csv data at Index time

divyanshukakwan — Wed, 24 Jan 2018 07:00:00 GMT

I want to do masking at index time, not search time