Deployment Architecture

data masking not working

Prakhar_shukla
Path Finder

this is the log file

bash-4.2$ more mask.log .( static log file for testing. added it via input file monitoring from web for index idx1)
123456789123456789
[05/Apr/2017:00:02:48:21] VendorID=9112 Code=B1 AcctID=4902343983
[05/Apr/2017:00:03:48:21] VendorID=9113 Code=B2 AcctID=4902343983

here is my props.conf in /local/

bash-4.2$ more props.conf
[mask.log]
SEDCMD-1acct = s/AcctID=...../AcctID=XXXXX/g

when i am searching for the index, i am getting unmasked log file, masking is just not working

please help out.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

View solution in original post

0 Karma

woodcock
Esteemed Legend

Your configuration is correct to mask the first 4 digits and you can see this like this:

|makeresults | eval raw="VendorID=9112 Code=B1 AcctID=4902343983"
| rename raw AS _raw
| rex mode=sed "s/AcctID=...../AcctID=XXXXX/g"

You need to deploy this to props.conf but first fix your stanza header. I doubt that your sourctype is mask.log Check your inputs.conf and find out what you set sourcetype to and use that or, if you need to use source, then use this:

[source::mask.log]

Deploy to your Indexers (or HFs), restart splunk there and verify on NEW events (old events will stay broken).

0 Karma

woodcock
Esteemed Legend

Did you try this? Did it work?

0 Karma

Prakhar_shukla
Path Finder

thanks cusello, woodcock. yes it worked after replacing source with sourcetype.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

0 Karma

Prakhar_shukla
Path Finder

here i am trying to mask 1st 5 number from AcctID. mask.log file is in /tmp/ fold.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...