Archive

How can i mask this data at index time?

New Member

I will like to mask this data so that the password value is "XXXXXXXX". I have tried SEDCMD, scrub and transforms but I just couldn't get it done. Thanks for your help

Tags (1)
0 Karma
1 Solution

Super Champion

Index time means you can never recover the value again. Splunk's official documentation to anonymize data

  • Create an app (eg mymaskapp)
  • within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg probable_password_sourcetype)
  • within "local" directory, create props.conf and put the value for the above sourcetype

Example

[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
  • Now create transforms.conf in "local" and put the regex logic. Below is a sample only

Example

[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw

View solution in original post

0 Karma

Super Champion

Index time means you can never recover the value again. Splunk's official documentation to anonymize data

  • Create an app (eg mymaskapp)
  • within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg probable_password_sourcetype)
  • within "local" directory, create props.conf and put the value for the above sourcetype

Example

[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
  • Now create transforms.conf in "local" and put the regex logic. Below is a sample only

Example

[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw

View solution in original post

0 Karma

New Member

Thanks @ koshyk for the insight. But I'm still having issues getting the sample data masked at index time.

Sample data to be masked : ns2:arg name="password" value="utTSsgTST9B"/
props.conf
[password_log]
TRANSFORMS-anonymize = password-anonymizer

transforms.conf
[password-anonymizer]
REGEX = (?m)^(.)"password"=\s\w+('[a-z0-9#])["/].)$
FORMAT = $1password=########$2
DEST_KEY = _raw

What am i doing wrong?
Thanks
-u

0 Karma

Super Champion

Good to see a sample data. Your regex seems wrong

Have a try below.

[password-anonymizer]
REGEX =(?m)^(.+)\svalue=\"([\w\W]+)\"(.*)$
FORMAT = $1 value=########$3
DEST_KEY = _raw

0 Karma

New Member

Thanks. It worked.

0 Karma

Motivator

Please mark the answer as accepted if this works for you 😉

0 Karma