Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to mask SSN at index-time using SEDCMD in props.conf?

locose
Path Finder
‎11-02-2015 11:12 AM

I'm trying to mask SSN using the SEDCMD command, but it isn't working.

My search:

sourcetype = my_source_type   *SSN

returns

'Call_SSN'   '123456789'
'Ssn_bla'    '987654321'
'bla_SSN'   '123456789'

I updated the system/local/props.conf

[my_source_type]
SEDCMD-ssncall = s/=\d{5}(\d{4})/*SSN   xxxxx\1/g

But it's not masking it.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-02-2015 04:04 PM

If you are using INDEXED_EXTRACTIONS to create those fields, then they are created at Index-Time in the time parsing portion of the pipeline that executes before the SEDCMD is executed. If you get SEDCMD working what should happen is that field _raw will be modified, but the INDEXED_EXTRACTIONS fields will still contain the pre-mod text.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 04:16 PM

This is way I told this before 😉 ->

Place this on the Splunk instance where the parsing happens
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 11:32 AM

Hi locose,

looks like the regex does not match your example events; this regex will match:

 [SsNn_]+.+?['\s]+\d+'

tested and working on https://regex101.com . So your props.conf should look like this:

[my_source_type]
SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g

Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings and restart Splunk; it will also only be applied to new events.

Hope this helps ...

cheers, MuS

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:51 PM

So my serach query is still

sourcetype = my_source_type SSN

I'm still getting

SsN_ENA
Call_SSN
BLA_sSN

in the search results

In the system/local/props.conf 

 [my_source_type]
 SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx\1/g
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 01:10 PM

take this run everywhere search which works:

| gentimes start=-1 | eval foo="'Call_SSN'   '123456789'
 'Ssn_bla'    '987654321'
 'bla_SSN'    '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g"

my provided SEDCMD will only replace the values NOT the fields.

0 Karma
Reply

locose
Path Finder
‎11-02-2015 12:13 PM

Hello MuS

unfortunately that didn't work

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-02-2015 12:43 PM

Can you tell what you did?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...