Archive

data masking not working

Path Finder

this is the log file

bash-4.2$ more mask.log .( static log file for testing. added it via input file monitoring from web for index idx1)
123456789123456789
[05/Apr/2017:00:02:48:21] VendorID=9112 Code=B1 AcctID=4902343983
[05/Apr/2017:00:03:48:21] VendorID=9113 Code=B2 AcctID=4902343983

here is my props.conf in /local/

bash-4.2$ more props.conf
[mask.log]
SEDCMD-1acct = s/AcctID=...../AcctID=XXXXX/g

when i am searching for the index, i am getting unmasked log file, masking is just not working

please help out.

Tags (1)
0 Karma
1 Solution

Legend

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

View solution in original post

0 Karma

Esteemed Legend

Your configuration is correct to mask the first 4 digits and you can see this like this:

|makeresults | eval raw="VendorID=9112 Code=B1 AcctID=4902343983"
| rename raw AS _raw
| rex mode=sed "s/AcctID=...../AcctID=XXXXX/g"

You need to deploy this to props.conf but first fix your stanza header. I doubt that your sourctype is mask.log Check your inputs.conf and find out what you set sourcetype to and use that or, if you need to use source, then use this:

[source::mask.log]

Deploy to your Indexers (or HFs), restart splunk there and verify on NEW events (old events will stay broken).

0 Karma

Esteemed Legend

Did you try this? Did it work?

0 Karma

Path Finder

thanks cusello, woodcock. yes it worked after replacing source with sourcetype.

0 Karma

Legend

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

View solution in original post

0 Karma

Path Finder

here i am trying to mask 1st 5 number from AcctID. mask.log file is in /tmp/ fold.

0 Karma