Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Anonymize Multiple Data Points in Splunk Search

markhvesta
Path Finder
‎08-27-2019 02:33 PM

I am trying to anonymize customer credit card data in splunk logs but when more than one card appears in the same event only one is scrubbed.

transforms on the indexers:

[SEDCMD-anonymizecc]
REGEX =  s/(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})/###SCRUBBED###/g
FORMAT= $1###SCRUBBED###$2
REPEAT_MATCH = true
LOOKAHEAD = 800

Sample event:

2019-08-27 13:31:00,002 -0700 DEBUG -
Sent Message HTTP POST
Elapsed time : 0.007166 (seconds)
ContentType : application/x_www_form_urlencoded
Request : Amount = 528.01
CardNumber = CARDNUMBER
PaymentDeviceOnFileID =
ResponseCode = 0
Request Buffer : Amount=528.01&CardNumber=CARDNUMBER&PaymentDeviceOnFileID=##NULL##
Response Buffer : ResponseCode=0

0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-28-2019 01:34 AM

Hi,

You can use SEDCMD in props.conf to achieve this easily at Index time, compare to combination of props and transforms.

Please try below config

props.conf

[yourSourcetype]
SEDCMD-Anon = s/(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})/###SCRUBBED###/g
0 Karma
Reply

markhvesta
Path Finder
‎08-28-2019 08:42 AM

I just tried this and it is only masking the second instance and not the first in the event.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...