2023-08-04 08:53:00.473, ID="15438391", EventClass="10", textdata="exec up_tcsbs_ess_ins_ipsysuser @IID=20231619,@RoleID=NULL,@AdpGuid='F31B78A6-285F-4E8A-A063-8581CEA30AD4',@PersonId='641',@dob='1991-03-16 00:00:00',@ssn='114784117',@tin=default,@companyname=default,@contactzip='181037802',@hiredate='2023-07-14 00:00:00',@adpUserId=NULL,@associateId=default,@essRoleId='15'", HostName="DC1PRRUNVBT0034", ClientProcessID="20496", ApplicationName=".Net SqlClient Data Provider", LoginName="TcStandard", SPID="5893", Duration="3247079", StartTime="2023-08-04 09:53:00.473", EndTime="2023-08-04 09:53:03.72", Reads="95", Writes="5", CPU="0", Error="0", DatabaseName="iFarm", RowCounts="6", RequestID="0", EventSequence="1447598967", SessionLoginName="TcStandard", ServerName="DC1PRMSPADB40"
Hi @Hemant93,
Masking sensitive data is typically performed on the Heavy Forwarder / Indexer before it goes into the Splunk index. We can do that job with a props.conf file.
[maskpii]
SEDCMD-pii-dob = s/@dob=['"][^'"]+['"]/@dob='***MASKED***'/g
SEDCMD-pii-ssn = s/@ssn=['"][^'"]+['"]/@ssn='***MASKED***'/g
This file uses the maskpii sourcetype, and tells Splunk to change any dob or snn value to "***MASKED***".
Put that props file on either the heavy forwarder or indexer (wherever your data is sent first) and restart Splunk.
Using that file I ingested your sample data and here's the result: