Getting Data In

How can I mask the values for two identical keys in a multi-line event at index time?

w199284
Explorer

I have a multiline event with two identical keys that I need to mask values for, as shown below. I am NOT especially handy with regex but have manged to get one of the values, the second, masked. Has anyone out there had success masking a multiline event with multiple values like this? Thanks in advance.

2020-02-16 17:00:11,374 [INFO ] pool-1-thread-152 ServiceIdentity - null|null :
OrderNumber: 654321
Ids: 12345678 23456789 34567890
Response: False
manualCapture: False
PostResponses:
specialId: 1234567 <===(1)
relationship: null
nopp: 2
open: False
specialId: 7654321 <===(2)
relationship: null
nopp: 2
open: False

0 Karma
1 Solution

woodcock
Esteemed Legend

It all depends on what you mean by mask (and I am not talking about algorithms). Let's assume that you mean to obscure it on the way in. You can do that with something like this on your indexers:

SEDCMD-obscure_specialId = s/(specialId:\s*)(\d+)/\1***/g

Let's assume that you need to MD5 it on the way in; then you will need something like cribl.

View solution in original post

to4kawa
Ultra Champion
0 Karma

woodcock
Esteemed Legend

It all depends on what you mean by mask (and I am not talking about algorithms). Let's assume that you mean to obscure it on the way in. You can do that with something like this on your indexers:

SEDCMD-obscure_specialId = s/(specialId:\s*)(\d+)/\1***/g

Let's assume that you need to MD5 it on the way in; then you will need something like cribl.

w199284
Explorer

Yeah obscure. I'll give it a shot with SED. Thanks for your response!

0 Karma

w199284
Explorer

That worked. The final solution has some additional matches to account for special characters and spaces. Thank you for your response.
s/([s|S]pecial[i|I][d|D]\s*[:|=|[])\s*(\w+)/\1xxxxx/g

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You can use an md5 hash function to mask it like this

| eval new_field=md5(FIELD_NAME)

https://docs.splunk.com/Documentation/DSP/1.0.0/DSPFunctionReference/Cryptographic

0 Karma

xavierashe
Contributor

What regex do you have now?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...