Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to mask SSN at index-time using SEDCMD in props.conf?

locose
Path Finder
‎11-02-2015 11:12 AM

I'm trying to mask SSN using the SEDCMD command, but it isn't working.

My search:

sourcetype = my_source_type   *SSN

returns

'Call_SSN'   '123456789'
'Ssn_bla'    '987654321'
'bla_SSN'   '123456789'

I updated the system/local/props.conf

[my_source_type]
SEDCMD-ssncall = s/=\d{5}(\d{4})/*SSN   xxxxx\1/g

But it's not masking it.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-02-2015 04:04 PM

If you are using INDEXED_EXTRACTIONS to create those fields, then they are created at Index-Time in the time parsing portion of the pipeline that executes before the SEDCMD is executed. If you get SEDCMD working what should happen is that field _raw will be modified, but the INDEXED_EXTRACTIONS fields will still contain the pre-mod text.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 04:16 PM

This is way I told this before 😉 ->

Place this on the Splunk instance where the parsing happens
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 11:32 AM

Hi locose,

looks like the regex does not match your example events; this regex will match:

 [SsNn_]+.+?['\s]+\d+'

tested and working on https://regex101.com . So your props.conf should look like this:

[my_source_type]
SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g

Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings and restart Splunk; it will also only be applied to new events.

Hope this helps ...

cheers, MuS

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:51 PM

So my serach query is still

sourcetype = my_source_type SSN

I'm still getting

SsN_ENA
Call_SSN
BLA_sSN

in the search results

In the system/local/props.conf 

 [my_source_type]
 SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx\1/g
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 01:10 PM

take this run everywhere search which works:

| gentimes start=-1 | eval foo="'Call_SSN'   '123456789'
 'Ssn_bla'    '987654321'
 'bla_SSN'    '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g"

my provided SEDCMD will only replace the values NOT the fields.

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:13 PM

Hello MuS

unfortunately that didn't work

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 12:43 PM

Can you tell what you did?

0 Karma
Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...