Hi, I am trying to mask some data while indexing. Below is one single event where the tag "SecurityQuestion" is occuring multiple times and I want to mask all of its values.
Can someone please advice?
(SecurityQuestion)Favorite song(SecurityQuestion)(SecurityAnswer)TEST(SecurityAnswer)
(SecurityQuestion)Favorite band(SecurityQuestion)(SecurityAnswer)TEST123(SecurityAnswer)
Hi!
Check out the Splunk documentation on Anonymize data.
EDIT: Here is the sed command:
s/\(SecurityQuestion\).+?\(SecurityQuestion\)\(SecurityAnswer\).+?\(SecurityAnswer\)/(SecurityQuestion)########(SecurityQuestion)(SecurityAnswer)########(SecurityAnswer)/g
What we did was to hide the data at the indexing layer when there was data we didn't want.
In our case there was secret_data=
as a URL parameter that we wanted to removed.
So I updated the props.conf on the indexers.
[my_sourctype]
[source::/path/to/my/logs]
SEDCMD-remove_secret_data = s/(&)?secret_data=[^&\s.]+//g
Hi!
Check out the Splunk documentation on Anonymize data.
EDIT: Here is the sed command:
s/\(SecurityQuestion\).+?\(SecurityQuestion\)\(SecurityAnswer\).+?\(SecurityAnswer\)/(SecurityQuestion)########(SecurityQuestion)(SecurityAnswer)########(SecurityAnswer)/g
I did already and I was trying using SED command but not able to get to anything. Could you give me a start on this?
I edited my first reply and added the sed command because apparently comments cannot display backslashes.