Deployment Architecture

data masking not working

Prakhar_shukla
Path Finder

this is the log file

bash-4.2$ more mask.log .( static log file for testing. added it via input file monitoring from web for index idx1)
123456789123456789
[05/Apr/2017:00:02:48:21] VendorID=9112 Code=B1 AcctID=4902343983
[05/Apr/2017:00:03:48:21] VendorID=9113 Code=B2 AcctID=4902343983

here is my props.conf in /local/

bash-4.2$ more props.conf
[mask.log]
SEDCMD-1acct = s/AcctID=...../AcctID=XXXXX/g

when i am searching for the index, i am getting unmasked log file, masking is just not working

please help out.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

View solution in original post

0 Karma

woodcock
Esteemed Legend

Your configuration is correct to mask the first 4 digits and you can see this like this:

|makeresults | eval raw="VendorID=9112 Code=B1 AcctID=4902343983"
| rename raw AS _raw
| rex mode=sed "s/AcctID=...../AcctID=XXXXX/g"

You need to deploy this to props.conf but first fix your stanza header. I doubt that your sourctype is mask.log Check your inputs.conf and find out what you set sourcetype to and use that or, if you need to use source, then use this:

[source::mask.log]

Deploy to your Indexers (or HFs), restart splunk there and verify on NEW events (old events will stay broken).

0 Karma

woodcock
Esteemed Legend

Did you try this? Did it work?

0 Karma

Prakhar_shukla
Path Finder

thanks cusello, woodcock. yes it worked after replacing source with sourcetype.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g 

Bye.
Giuseppe

0 Karma

Prakhar_shukla
Path Finder

here i am trying to mask 1st 5 number from AcctID. mask.log file is in /tmp/ fold.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...