Could someone help me with Data Masking?

egcp · ‎09-19-2022

Hi,

I am trying to mask dataat index time, can you please help ?

First line is a result and second is what i would like to be.

Thx

"authenticationValue":"AAcBBGJxFAAAAZZANIJZdQAAAAA=" Result

"authenticationValue":"****************************"

egcp · ‎09-20-2022

Hi,

props are properly placed.

In search also nothing is changed.

Thank you for your effort .

gcusello · ‎09-19-2022

Hi @egcp,

you can follow the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

You have two methods:

using SEDCMD
using props.conf and transfroms.conf

Using SEDCMD, you have to put in your props.conf:

[your_sourcetype]
SEDCMD-xxx = s/"authenticationValue":"\w+"/"authenticationValue":"****************************"/g

Using props.conf and transforms.conf:

props.conf:
[your_sourcetype]
TRANSFORMS-anonym,izer = session-anonymizer


transforms.conf:
[session-anonymizer]
REGEX = \"authenticationValue\":\"(\w+\)\"
FORMAT = \"authenticationValue\":\"(**********)\"
DEST_KEY = _raw

there also some videos to teach about this topic in YouTube Splunk channel.

Ciao.

Giuseppe

egcp · ‎09-19-2022

Hi,

Tried both options , but nothing change in log.

gcusello · ‎09-19-2022

Hi @egcp,

the first check to perform is on the regex: use the "regex" command to check if the regex is correct

<your_search>
| rex mode=sed "SEDCMD-xxx = s/"authenticationValue":"\w+"/"authenticationValue":"****************************"/g"

then, where is this props.conf?

it must be located on the indexers or (if present) on Heavy Forwarders.

Ciao.

Giuseppe

Could someone help me with Data Masking?

props.conf

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio