this is the log file
bash-4.2$ more mask.log .( static log file for testing. added it via input file monitoring from web for index idx1)
123456789123456789
[05/Apr/2017:00:02:48:21] VendorID=9112 Code=B1 AcctID=4902343983
[05/Apr/2017:00:03:48:21] VendorID=9113 Code=B2 AcctID=4902343983
here is my props.conf in /local/
bash-4.2$ more props.conf
[mask.log]
SEDCMD-1acct = s/AcctID=...../AcctID=XXXXX/g
when i am searching for the index, i am getting unmasked log file, masking is just not working
please help out.
Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command
[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g
Bye.
Giuseppe
Your configuration is correct to mask the first 4 digits and you can see this like this:
|makeresults | eval raw="VendorID=9112 Code=B1 AcctID=4902343983"
| rename raw AS _raw
| rex mode=sed "s/AcctID=...../AcctID=XXXXX/g"
You need to deploy this to props.conf
but first fix your stanza header. I doubt that your sourctype
is mask.log
Check your inputs.conf
and find out what you set sourcetype
to and use that or, if you need to use source
, then use this:
[source::mask.log]
Deploy to your Indexers (or HFs), restart splunk there and verify on NEW events (old events will stay broken).
Did you try this? Did it work?
thanks cusello, woodcock. yes it worked after replacing source with sourcetype.
Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command
[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g
Bye.
Giuseppe
here i am trying to mask 1st 5 number from AcctID. mask.log file is in /tmp/ fold.