Solved: How do you mask sensitive data from Splunk?

Shashank_87 · ‎12-05-2018

Hi, I am trying to mask some data while indexing. Below is one single event where the tag "SecurityQuestion" is occuring multiple times and I want to mask all of its values.

Can someone please advice?

(SecurityQuestion)Favorite song(SecurityQuestion)(SecurityAnswer)TEST(SecurityAnswer)
(SecurityQuestion)Favorite band(SecurityQuestion)(SecurityAnswer)TEST123(SecurityAnswer)

whrg · ‎12-05-2018

Hi!

Check out the Splunk documentation on Anonymize data.

EDIT: Here is the sed command:

s/\(SecurityQuestion\).+?\(SecurityQuestion\)\(SecurityAnswer\).+?\(SecurityAnswer\)/(SecurityQuestion)########(SecurityQuestion)(SecurityAnswer)########(SecurityAnswer)/g

View solution in original post

burwell · ‎12-05-2018

What we did was to hide the data at the indexing layer when there was data we didn't want.

In our case there was secret_data= as a URL parameter that we wanted to removed.

So I updated the props.conf on the indexers.

[my_sourctype]
[source::/path/to/my/logs]
SEDCMD-remove_secret_data = s/(&)?secret_data=[^&\s.]+//g

whrg · ‎12-05-2018

Hi!

Check out the Splunk documentation on Anonymize data.

EDIT: Here is the sed command:

s/\(SecurityQuestion\).+?\(SecurityQuestion\)\(SecurityAnswer\).+?\(SecurityAnswer\)/(SecurityQuestion)########(SecurityQuestion)(SecurityAnswer)########(SecurityAnswer)/g

Shashank_87 · ‎12-05-2018

I did already and I was trying using SED command but not able to get to anything. Could you give me a start on this?

whrg · ‎12-05-2018

I edited my first reply and added the sed command because apparently comments cannot display backslashes.

How do you mask sensitive data from Splunk?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!