Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to anonymize credit card numbers using props.conf and transforms .conf?

gotenzw
Observer
‎08-07-2022 02:54 AM

hi im trying to replace credit card number (16 digits) in a csv file with xxxx

when i input below text, full event will be masked i will only see xxxx in the search

test1,test2, 0123456789123456 

when i input any credit card number which is less than 16 digits , i can see full event in the search

test3,test4,1234

 

please find the following  configuration files

props.conf

[ccdata]
TRANSFORMS-anonymize = masking

 

transforms.conf

[masking]
REGEX = \d{16}
FORMAT = xxxx
DEST_KEY = _raw

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-07-2022 07:54 AM

Hi @gotenzw,

as @richgalloway, the behavior you described is correct: you transform a credit card number (16 digits) if you have a number with 16 digits in that field, if you have anything different, the transformation doesn't run but it's correct.

If you want to mask every number in the third field (also less than 16 digits), you have to use a different approach as described at https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata:

in props.conf use this command:

[<your_sourcetype>]
TRANSFORMS-anonymize = anonymizer

in transforms.conf:

[anonymizer]
REGEX = ^(\w+,\w+,)\d+
FORMAT = $1xxxxxxxxxxxxxxxx
DEST_KEY = _raw

Ciao.

Giuseppe

0 Karma
Reply

gotenzw
Observer
‎08-07-2022 08:39 AM

i need to use same approach which is 16 digits but i want to see other fields.

im expecting  the event like below

 

event1,event2,xxxx 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-07-2022 08:53 AM

Hi @gotenzw,

with my approach, you should see the other fields and anonymize only the Credit Card Number, otherwise, as described in the above url (https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata), you can also try SEDCMD command in props.conf:

 

[<your_sourcetype>]
SEDCMD-Anonymize = s/^\w+,\w+,\d+/^\w+,\w+,xxxxxxxxxxxxxxxx/g

 

Ciao.

Giuseppe

0 Karma
Reply

gotenzw
Observer
‎08-07-2022 08:59 AM

i used the SEDCMD and it worked fine but i need to do it using transforms.conf

below is the props.conf which i used.

[ccdata]
SEDCMD-ccdatamask = s/\d{16}/xxxx/g 

 

is it possible to do the same using trasnforms.conf ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-07-2022 10:31 PM

Hi @gotenzw,

yes, it's possible.

Your transforms.conf is correct, and the configuration you shared is correct but only for 16 digits numbers, if you have less numbers it doesn't work.

if you don't have other numerical fields you could try to use a little different regex to recognize your CC number:

[masking]
REGEX = \d+
FORMAT = xxxx
DEST_KEY = _raw

Ciao.

Giuseppe

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2022 06:30 AM

What is the problem you are trying to solve?  The way I read this description everything appears to be working as desired.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gotenzw
Observer
‎08-07-2022 06:38 AM

i need to see other fields like test1, test2, what is required is to mask only credit card number which is the 16 digit, but the issue here i can't see full event after masking as stated before only xxxx i can see in the search

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...