Solved: Anonymize data using regex transform - Splunk Community

Getting Data In

Hi Splunk experts,
I am using regex transform to mask data in splunk. But splunk only masks first occurence of string matched with that regex in 1 event.For example

[user]
REGEX = (?i)^(.*?)user\=\w+(.*)$
FORMAT = $1user=XXXXXXX$2
DEST_KEY = _raw

Sample event

2013-02-22 user=xyz hello user=abc

It will just mask user=xyz and will not touch user=abc.

Do we have any solution for this.

Thanks

1 Solution

Solution

I would personally look at using a sed command instead:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles#Through...

The following is not tested but it should give you an idea.

SEDCMD-user = s/user=(\w+)/user=xxxxx/g

View solution in original post

Solution

I would personally look at using a sed command instead:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles#Through...

The following is not tested but it should give you an idea.

SEDCMD-user = s/user=(\w+)/user=xxxxx/g

...but SEDCMD is using regex. I really don't see the problem.

May b because I have already followed that route and implemented data masking and now i have to do all the work again using SED CMD 😞 .So looking for solution using regex only

It might be but why would you go for that route when SEDCMD exists?

So you mean it is not possible using regex transform?

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...