Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to mask SSN at index-time using SEDCMD in props.conf?

locose
Path Finder
‎11-02-2015 11:12 AM

I'm trying to mask SSN using the SEDCMD command, but it isn't working.

My search:

sourcetype = my_source_type   *SSN

returns

'Call_SSN'   '123456789'
'Ssn_bla'    '987654321'
'bla_SSN'   '123456789'

I updated the system/local/props.conf

[my_source_type]
SEDCMD-ssncall = s/=\d{5}(\d{4})/*SSN   xxxxx\1/g

But it's not masking it.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-02-2015 04:04 PM

If you are using INDEXED_EXTRACTIONS to create those fields, then they are created at Index-Time in the time parsing portion of the pipeline that executes before the SEDCMD is executed. If you get SEDCMD working what should happen is that field _raw will be modified, but the INDEXED_EXTRACTIONS fields will still contain the pre-mod text.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 04:16 PM

This is way I told this before 😉 ->

Place this on the Splunk instance where the parsing happens
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 11:32 AM

Hi locose,

looks like the regex does not match your example events; this regex will match:

 [SsNn_]+.+?['\s]+\d+'

tested and working on https://regex101.com . So your props.conf should look like this:

[my_source_type]
SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g

Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings and restart Splunk; it will also only be applied to new events.

Hope this helps ...

cheers, MuS

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:51 PM

So my serach query is still

sourcetype = my_source_type SSN

I'm still getting

SsN_ENA
Call_SSN
BLA_sSN

in the search results

In the system/local/props.conf 

 [my_source_type]
 SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx\1/g
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 01:10 PM

take this run everywhere search which works:

| gentimes start=-1 | eval foo="'Call_SSN'   '123456789'
 'Ssn_bla'    '987654321'
 'bla_SSN'    '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g"

my provided SEDCMD will only replace the values NOT the fields.

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:13 PM

Hello MuS

unfortunately that didn't work

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 12:43 PM

Can you tell what you did?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...