Could someone help me with Data Masking?

egcp · ‎09-19-2022

Hi,

I am trying to mask dataat index time, can you please help ?

First line is a result and second is what i would like to be.

Thx

"authenticationValue":"AAcBBGJxFAAAAZZANIJZdQAAAAA=" Result

"authenticationValue":"****************************"

egcp · ‎09-20-2022

Hi,

props are properly placed.

In search also nothing is changed.

Thank you for your effort .

gcusello · ‎09-19-2022

Hi @egcp,

you can follow the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

You have two methods:

using SEDCMD
using props.conf and transfroms.conf

Using SEDCMD, you have to put in your props.conf:

[your_sourcetype]
SEDCMD-xxx = s/"authenticationValue":"\w+"/"authenticationValue":"****************************"/g

Using props.conf and transforms.conf:

props.conf:
[your_sourcetype]
TRANSFORMS-anonym,izer = session-anonymizer


transforms.conf:
[session-anonymizer]
REGEX = \"authenticationValue\":\"(\w+\)\"
FORMAT = \"authenticationValue\":\"(**********)\"
DEST_KEY = _raw

there also some videos to teach about this topic in YouTube Splunk channel.

Ciao.

Giuseppe

egcp · ‎09-19-2022

Hi,

Tried both options , but nothing change in log.

gcusello · ‎09-19-2022

Hi @egcp,

the first check to perform is on the regex: use the "regex" command to check if the regex is correct

<your_search>
| rex mode=sed "SEDCMD-xxx = s/"authenticationValue":"\w+"/"authenticationValue":"****************************"/g"

then, where is this props.conf?

it must be located on the indexers or (if present) on Heavy Forwarders.

Ciao.

Giuseppe

Could someone help me with Data Masking?

props.conf

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...