topic Unable to anonymize / mask data using regex in Splunk Search

Unable to anonymize / mask data using regex

zerolife — Mon, 28 Sep 2020 16:22:20 GMT

I'm trying to mask the IP address from the below sample syslog per the following guide but it's just not working. Is my regex expression wrong? I'm no regex guru so I'm generating the regex expression from online tools.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/Anonymizedatausingconfigurationfiles

Sample Log:
Apr 11 10:47:30 192.168.1.1 stingray_xml_slave: ....

pref.conf:

[syslog]
TRANSFORMS-anonymize = testing

transforms.conf:

[testing]
REGEX = \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
FORMAT = $1#####$2
DEST_KEY = _raw

I also tried the following Regex expresion generated by txt2re.com with no luck either:

((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])

somesoni2 — Fri, 11 Apr 2014 19:58:19 GMT

Try this.

props.conf

[syslog]
SEDCMD-ipaddress = s/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/xxxxx/g

no transforms.conf entries.

Ayn — Fri, 11 Apr 2014 20:03:01 GMT

Any particular reason why you're using TRANSFORMS for this and not SEDCMD?

Also I'm assuming "pref.conf" is a typo?

...and finally where are you implementing this, on an indexer?

zerolife — Fri, 11 Apr 2014 20:12:45 GMT

thanks for the try. However I rebooted Splunk and it's still not masking incoming syslog

zerolife — Fri, 11 Apr 2014 20:23:20 GMT

I was an idiot, had mistyped props -> pref. thanks somesoni2 and Ayn for your help