Getting Data In

Data Anonimization - Multiple transforms not working for single _raw event

nareshinsvu
Builder

Hi Punters,

 I am facing issues with Data Anonimization. Below are my conf files. My transforms.conf anonimizes the data if my _raw event have any one regex pattern. But it's not anonimizing my _raw event if it has both the regex patterns. Need help please.

 

xml-anonymizer also doesn't work if my _raw event is having JSON message. But it works fine if the _raw event is a normal line.

 

props.conf

[dp_logs_multiline]
CHECK_METHOD = modtime
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3}
category = Custom
disabled = false
pulldown_type = 1
MAX_TIMESTAMP_LOOKAHEAD = 24
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TIME_PREFIX = ^
TRANSFORMS-anonymize = json-anonymizer, xml-anonymizer
ANNOTATE_PUNCT = false
TRUNCATE = 100000
MAX_EVENTS = 10000

transforms.conf

[json-anonymizer]
REGEX = (?ms)^(.*\"[sS]hippingAddress\"\s+\:\s+\{)[\s\S]*?(\}.*)$
FORMAT = $1#########JSON PCC DATA ANONIMIZED#############$2
REPEAT_MATCH = true
MV_ADD = true
DEST_KEY = _raw

[xml-anonymizer]
REGEX = (?ms)^(.*\<[bB]illTo\>)[\s\S]*?(\<\/[rR]equestMessage\>.*)$
FORMAT = $1#########XML PCC DATA ANONIMIZED#############$2
REPEAT_MATCH = true
MV_ADD = true
DEST_KEY = _raw

Labels (3)
0 Karma

thambisetty
Super Champion

Did you try two SEDCMD-class1, SEDCMD-class2. you don't need to have transforms.conf. Having multiple transforms will always be a problem.

————————————
If this helps, give a like below.
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>