Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Anonymize Data in Splunk Search

jmaguire1992
Explorer
‎03-09-2016 03:25 AM

Hey,
I am running a local instance of splunk for testing purposes. The aim is toAnonymize certain parts of the data that can be searched.
In my files there were no props.conf or transforms.conf so I created these two files in this folder

'C:\Program Files\Splunk\etc\system\local'

The data I am looking to anonymize is simple
testfield: 123
- Either by removing it completely or removing the unit.

If anyone could help with what exactly should go in the transforms.conf and the props.conf files that would be greatly appreciated.

Thank you,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DMohn
Motivator
‎03-09-2016 10:46 AM

Assuming you want to anonymize the '123' in your test data, you could use the following configuration:

props.conf

 [your_sourcetype]
 TRANSFORMS-anonymize = testdata_anonymizer

transforms.conf

 [testdata_anonymizer]
 REGEX = (?m)^testfield:\s+(.*)$
 FORMAT = testfield:\sxxxx
 DEST_KEY = _raw

This will strip all off your event after the 'testfield: ' string, and replace it with 'xxxx'
If you want to keep some of the data, you have to modify the regex accordingly.

View solution in original post

Reply
Solved! Jump to solution
Solution

DMohn
Motivator
‎03-09-2016 10:46 AM

Assuming you want to anonymize the '123' in your test data, you could use the following configuration:

props.conf

 [your_sourcetype]
 TRANSFORMS-anonymize = testdata_anonymizer

transforms.conf

 [testdata_anonymizer]
 REGEX = (?m)^testfield:\s+(.*)$
 FORMAT = testfield:\sxxxx
 DEST_KEY = _raw

This will strip all off your event after the 'testfield: ' string, and replace it with 'xxxx'
If you want to keep some of the data, you have to modify the regex accordingly.

Reply
Solved! Jump to solution

jmaguire1992
Explorer
‎03-10-2016 01:26 AM

Thank you very much! It worked! It removed all of the other data and just left

testfield:\sxxxx

So I will try figure out some way of modifying the regex to just Anoymize the testfield, but thank you so much for your helpful comment 🙂

0 Karma
Reply
Solved! Jump to solution

jaiminsol
New Member
‎09-12-2017 08:40 AM

Hi Sir,
Are you able to modify the regex to replace only 123 data . not all other fields in the even. IF yes Could you please provide the regex. Thanks in advance for your help .

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎09-12-2017 12:55 PM

You can modify the regex to capture only the next three digits after 'testfield:' this way:
REGEX = (?m)testfield:\s+(\d{3})
FORMAT = testfield:\sxxxx

This will capture any string 'testfield:' followed by a space and three digits.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-09-2016 10:05 AM

This Splunk doc should get you started.

http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top