Data Masking

muguniya · ‎04-11-2014

Hi Team,

I need to mask multiple phrase in XML file. where in the complete XML file is in one single line. Please confirm will below setup will do the job

transforms.conf

[memberid-anonymizer]
DEST_KEY = _raw
FORMAT = $1memberID>XXXXX$2
REGEX = (?m)^(.*)memberID>\w+(\w{4}[\<"].*)$
SOURCE_KEY = _raw

[firstname-anonymizer]
DEST_KEY = _raw
FORMAT = $1memberFirstName>XXXXXXXXX$2
REGEX = (?m)^(.*)memberFirstName>\w+(\w{0}[\<"].*)$
SOURCE_KEY = _raw

[lastname-anonymizer]
DEST_KEY = _raw
FORMAT = $1memberLastName>XXXXXXXXX$2
REGEX = (?m)^(.*)memberLastName>\w+(\w{0}[\<"].*)$
SOURCE_KEY = _raw

props.conf

[testsandbox]
TRANSFORMS-anonymize = memberid-anonymizer, firstname-anonymizer, lastname-anonymizer

Sample Event:

2014-04-11 53:14:37,751 INFO  [WebContainer : 24] (UrgentCareController.java:) - InterPortletObjects from pp <com.sample.test.MytestObjects>
  <memberID>1234567</memberID>
  <memberlifeID>1294032</memberlifeID>
  <memberFirstName>Mugunthan</memberFirstName>
  <memberLastName>Gopala</memberLastName>
</com.sample.test.MytestObjects>

Thanks
Mugunthan

martin_mueller · ‎04-11-2014

That should work, though I recommend using props.conf SEDCMD-class instead - something like this:

[testsandbox]
SEDCMD-memberid = s/(<memberID>)\w+(\w{4}</memberID>)/\1XXXXX\2/g
SEDCMD-membername = s/(<member(?:First|Last)Name>)[^<]+(</member(?:First|Last)Name>)/\1XXXXXXXX\2/g

I personally prefer this for simplicity when all you need is a simple anonymizing replace.

Data Masking

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation

Data Masking

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition