https://community.splunk.com/t5/Getting-Data-In/Mask-sensitive-data/m-p/434812#M95067 <P>Hi everyone! we are trying to anonymize sensitive information using SEDCMD on props.conf file in the local folder but we haven't gotten success due to a weird behavior, for exemple when we have a simple log <BR /> we can easily mask it but a complex one we can not </P> <P><CODE>SEDCMD = s/Senha:[0-9a-zA-Z]{0,32}/Senha:****/g</CODE></P> <P>Bellow follows the log that we consider complex: </P> <PRE><CODE>{"Bola":"2019-06-17T22:08:26.400-03:00","pato":"Arquitetura","application":"PineOnline","tatu":"ResetarSenha","result":"false", "reqId":"6276A957-0E26-439E-8418-EB7BBBA618A8","version":"","platform":"","httpStatus":"200","reasonCode":"200","url":"https://888282121:999/Path1/Path2", "metodo":"PUT","tempo":"37","userAgent":"","request": {"ip":"","host":"192.168.0.103","client":"ClientIp:888.88.0.888","application-key":"","authorization":"", "customer-hash":"PZyKLE+0ONEfqlZyLgFe7owpccZl3iCdbYqSHiqGY_78y5PSOu+5MKh_MXk84EWKh0Cl5LHXzz+nUEEMPQCOirT5Hu01PvFAerq4ncoYszS8ZIYRpvg8P+zJMfWhT0KrcNXgDPliDXLFuK_gSIydc4QCDiY4MKXRNWn2ygpiiaEletMqkRh2wFALq7Bc5E0iMItlB6jO4mPduR95u+FCPvGn5ynrdtCzjRMciRH1IaL1vtRQijOFUsurwy_L_fGP0g5BUUohPYbBKFTjkFFTiAR11s9jQD2wZ3_pUjmIRgePfkdH021k9RsQrQQ+dr0c23EyEeLd9P+HURJg==", "payload": [{"CPF":"7878787878",Senha:58586762}]},"response": {"host":"192.168.0.20","payload": []}} </CODE></PRE> <P>In our test we realized that when we use a very large payload the transformation does not occur, when we use smaller payload everything seems to work. </P> <P>Reference: </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_script">https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_script</A></P> Wed, 19 Jun 2019 15:02:04 GMT justodaniel 2019-06-19T15:02:04Z https://community.splunk.com/t5/Getting-Data-In/Mask-sensitive-data/m-p/434812#M95067 <P>Hi everyone! we are trying to anonymize sensitive information using SEDCMD on props.conf file in the local folder but we haven't gotten success due to a weird behavior, for exemple when we have a simple log <BR /> we can easily mask it but a complex one we can not </P> <P><CODE>SEDCMD = s/Senha:[0-9a-zA-Z]{0,32}/Senha:****/g</CODE></P> <P>Bellow follows the log that we consider complex: </P> <PRE><CODE>{"Bola":"2019-06-17T22:08:26.400-03:00","pato":"Arquitetura","application":"PineOnline","tatu":"ResetarSenha","result":"false", "reqId":"6276A957-0E26-439E-8418-EB7BBBA618A8","version":"","platform":"","httpStatus":"200","reasonCode":"200","url":"https://888282121:999/Path1/Path2", "metodo":"PUT","tempo":"37","userAgent":"","request": {"ip":"","host":"192.168.0.103","client":"ClientIp:888.88.0.888","application-key":"","authorization":"", "customer-hash":"PZyKLE+0ONEfqlZyLgFe7owpccZl3iCdbYqSHiqGY_78y5PSOu+5MKh_MXk84EWKh0Cl5LHXzz+nUEEMPQCOirT5Hu01PvFAerq4ncoYszS8ZIYRpvg8P+zJMfWhT0KrcNXgDPliDXLFuK_gSIydc4QCDiY4MKXRNWn2ygpiiaEletMqkRh2wFALq7Bc5E0iMItlB6jO4mPduR95u+FCPvGn5ynrdtCzjRMciRH1IaL1vtRQijOFUsurwy_L_fGP0g5BUUohPYbBKFTjkFFTiAR11s9jQD2wZ3_pUjmIRgePfkdH021k9RsQrQQ+dr0c23EyEeLd9P+HURJg==", "payload": [{"CPF":"7878787878",Senha:58586762}]},"response": {"host":"192.168.0.20","payload": []}} </CODE></PRE> <P>In our test we realized that when we use a very large payload the transformation does not occur, when we use smaller payload everything seems to work. </P> <P>Reference: </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_script">https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_script</A></P> Wed, 19 Jun 2019 15:02:04 GMT https://community.splunk.com/t5/Getting-Data-In/Mask-sensitive-data/m-p/434812#M95067 justodaniel 2019-06-19T15:02:04Z https://community.splunk.com/t5/Getting-Data-In/Mask-sensitive-data/m-p/434813#M95068 <P>Strange. When I upload that specific sample event into splunk and set that exact SEDCMD, it works just fine.</P> <P>Can you perhaps share some more info on your setup and how and where you have set this configuration? Is it just for a single sourcetype, or are you using this for several sourcetypes and is one of those working and another not?</P> Wed, 19 Jun 2019 15:12:39 GMT https://community.splunk.com/t5/Getting-Data-In/Mask-sensitive-data/m-p/434813#M95068 FrankVl 2019-06-19T15:12:39Z