Archive

data masking not working

Path Finder

this is the log file

bash-4.2$ more mask.log .( static log file for testing. added it via input file monitoring from web for index idx1)
123456789123456789
[05/Apr/2017:00:02:48:21] VendorID=9112 Code=B1 AcctID=4902343983
[05/Apr/2017:00:03:48:21] VendorID=9113 Code=B2 AcctID=4902343983

here is my props.conf in /local/

bash-4.2$ more props.conf
[mask.log]
SEDCMD-1acct = s/AcctID=...../AcctID=XXXXX/g

when i am searching for the index, i am getting unmasked log file, masking is just not working

please help out.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

View solution in original post

0 Karma

Esteemed Legend

Your configuration is correct to mask the first 4 digits and you can see this like this:

|makeresults | eval raw="VendorID=9112 Code=B1 AcctID=4902343983"
| rename raw AS _raw
| rex mode=sed "s/AcctID=...../AcctID=XXXXX/g"

You need to deploy this to props.conf but first fix your stanza header. I doubt that your sourctype is mask.log Check your inputs.conf and find out what you set sourcetype to and use that or, if you need to use source, then use this:

[source::mask.log]

Deploy to your Indexers (or HFs), restart splunk there and verify on NEW events (old events will stay broken).

0 Karma

Esteemed Legend

Did you try this? Did it work?

0 Karma

Path Finder

thanks cusello, woodcock. yes it worked after replacing source with sourcetype.

0 Karma

SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

View solution in original post

0 Karma

Path Finder

here i am trying to mask 1st 5 number from AcctID. mask.log file is in /tmp/ fold.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!