Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to mask SSN at index-time using SEDCMD in props.conf?

locose
Path Finder
‎11-02-2015 11:12 AM

I'm trying to mask SSN using the SEDCMD command, but it isn't working.

My search:

sourcetype = my_source_type   *SSN

returns

'Call_SSN'   '123456789'
'Ssn_bla'    '987654321'
'bla_SSN'   '123456789'

I updated the system/local/props.conf

[my_source_type]
SEDCMD-ssncall = s/=\d{5}(\d{4})/*SSN   xxxxx\1/g

But it's not masking it.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-02-2015 04:04 PM

If you are using INDEXED_EXTRACTIONS to create those fields, then they are created at Index-Time in the time parsing portion of the pipeline that executes before the SEDCMD is executed. If you get SEDCMD working what should happen is that field _raw will be modified, but the INDEXED_EXTRACTIONS fields will still contain the pre-mod text.

0 Karma
Reply

MuS
Legend
‎11-02-2015 04:16 PM

This is way I told this before 😉 ->

Place this on the Splunk instance where the parsing happens
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

0 Karma
Reply

MuS
Legend
‎11-02-2015 11:32 AM

Hi locose,

looks like the regex does not match your example events; this regex will match:

 [SsNn_]+.+?['\s]+\d+'

tested and working on https://regex101.com . So your props.conf should look like this:

[my_source_type]
SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g

Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings and restart Splunk; it will also only be applied to new events.

Hope this helps ...

cheers, MuS

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:51 PM

So my serach query is still

sourcetype = my_source_type SSN

I'm still getting

SsN_ENA
Call_SSN
BLA_sSN

in the search results

In the system/local/props.conf 

 [my_source_type]
 SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx\1/g
0 Karma
Reply

MuS
Legend
‎11-02-2015 01:10 PM

take this run everywhere search which works:

| gentimes start=-1 | eval foo="'Call_SSN'   '123456789'
 'Ssn_bla'    '987654321'
 'bla_SSN'    '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g"

my provided SEDCMD will only replace the values NOT the fields.

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:13 PM

Hello MuS

unfortunately that didn't work

0 Karma
Reply

MuS
Legend
‎11-02-2015 12:43 PM

Can you tell what you did?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...