Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data masking not working

Prakhar_shukla
Path Finder
‎04-05-2017 04:13 AM

this is the log file

bash-4.2$ more mask.log .( static log file for testing. added it via input file monitoring from web for index idx1)
123456789123456789
[05/Apr/2017:00:02:48:21] VendorID=9112 Code=B1 AcctID=4902343983
[05/Apr/2017:00:03:48:21] VendorID=9113 Code=B2 AcctID=4902343983

here is my props.conf in /local/

bash-4.2$ more props.conf
[mask.log]
SEDCMD-1acct = s/AcctID=...../AcctID=XXXXX/g

when i am searching for the index, i am getting unmasked log file, masking is just not working

please help out.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-05-2017 04:35 AM

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 07:01 AM

Your configuration is correct to mask the first 4 digits and you can see this like this:

|makeresults | eval raw="VendorID=9112 Code=B1 AcctID=4902343983"
| rename raw AS _raw
| rex mode=sed "s/AcctID=...../AcctID=XXXXX/g"

You need to deploy this to props.conf but first fix your stanza header. I doubt that your sourctype is mask.log Check your inputs.conf and find out what you set sourcetype to and use that or, if you need to use source, then use this:

[source::mask.log]

Deploy to your Indexers (or HFs), restart splunk there and verify on NEW events (old events will stay broken).

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 11:36 AM

Did you try this? Did it work?

0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-05-2017 08:45 PM

thanks cusello, woodcock. yes it worked after replacing source with sourcetype.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-05-2017 04:35 AM

Hi Prakhar_shukla,
do you want to mask your AcctlID in the data before indexing ?
in this case you should insert in your props.conf at first a stanza with sourcetype and not with source (I found problems with sources or hosts) and after you should modify your regex in SEDCMD command

[your_sourcetype]
SEDCMD-1acct = s/AcctID\=\d+/AcctID\=XXXXXXXXXX/g

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-05-2017 04:28 AM

here i am trying to mask 1st 5 number from AcctID. mask.log file is in /tmp/ fold.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...