topic Re: How to mask sensitive data at index time? in Getting Data In

How to mask sensitive data at index time?

MWAKburns — Tue, 06 Jun 2017 16:44:06 GMT

I am trying to mask PII data at index time. Here is an example of PII data I am trying to mask:

RecipientSSNxxx-xx-4321RecipientSSN

I am able to mask it at search time using this

        source= mysource 
        | rex "(?RecipientSSN\d{3}\-\d{2}\-\d{4})" 
        | rex field=RecipientSSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"

However, I need it to masked at index time. I have tried the following in props.conf and transforms.conf (system\local for both):

props.conf

[nsb_message]
TRANSFORMS-anonymize = ssn-anonymizer

transforms.conf

[ssn-anonymizer]
regex = (\d{3}\-\d{2}\-)(\d{4})
FORMAT= $1XXX-XX-$2
DEST_KEY = _raw

I have restarted Splunk, input new test files via index file monitors one-time, and the SSN is still not masked. Any help would be appreciated. I verified that the sourcetype does exist in the inputs.conf (system\local) as well.

Any help or pointers would be greatly appreciated!

Re: How to mask sensitive data at index time?

rjthibod — Tue, 06 Jun 2017 17:26:26 GMT

How about following the simple SED example here: https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_script

in props.conf

[nsb_message]
SEDCMD-ssn_anon = s/RecipientSSN(\d{3}-\d{2}-)(\d{4})/RecipientSSNXXX-XX-\2/g

Re: How to mask sensitive data at index time?

MWAKburns — Tue, 06 Jun 2017 17:34:45 GMT

That worked! Thanks rjthibod!

Re: How to mask sensitive data at index time?

bestSplunker — Tue, 24 Apr 2018 06:41:56 GMT

SEDCMD- , Is this class name user-defined?

Re: How to mask sensitive data at index time?

ss026381 — Fri, 07 Jun 2019 19:38:06 GMT

From doc: Any text after SEDCMD- can be any string that helps you identify what the transformation script does. The clause must exist because it and the SEDCMD stem form the class name for the script