Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use K-anonymity with Splunk?

MarcHelou
New Member
‎09-25-2017 05:21 AM

Hello,
Let's say i have a csv file that contains sensitive data, I want on index to group multiple lines as one event in a way that it doesnt compromise my data. So let's say:
User - Age
U1 - 12
U2 - 13
U3 - 17
U4 - 15
U5 - 20
How can I group for example each 2 users as one event as so(of course before indexing and not on search time):
U1,U2 - 12,13
U3,U4 - 17-15
...
Thanks in advance

0 Karma
Reply

DalJeanis
Legend
‎09-25-2017 08:19 AM

I don't understand the reason for your business case, but here is what I would do to achieve your stated objective. Instead of running it through a standard indexing, I would bring it in, aggregate it, and then collect the aggregated data into a summary index. 

   | inputcsv mystuff.csv 

   | rename COMMENT as "Assign every pair of records to a group, then stats the group together " 
   | streamstats count as recno
   | eval groupno = floor( ( 1+ recno ) / 2 )
   | stats list(User) as User list(Age) as Age by groupno

   | rename COMMENT as "Set time, Get rid of unneeded fields, then copy them to the new index."
   | eval _time = now() 
   | table _time User Age 
   | collect .... send to desired index...

If you want to break the link of order between each User and his Age, then do this to sort the fields after the stats command. This will break the relationship between any individual Age and its User.

   | stats list(User) as User list(Age) as Age by groupno
   | eval User=mvsort(User)
   | eval Age=mvsort(Age)

If you want to change the number of records in each group to some number K, change line 5 to use your new K-1 and K as follows:

   | eval groupno = floor( ( K-1 + recno ) / K )

Updated to remove suggestion to use values, since that would delete duplicates.

There is also an issue with this anonymization method if using K=2 or k=3 and all of the Users have the same Age. Sigh.

   | inputcsv mystuff.csv 

   | rename COMMENT as "make sure that no two of the same Age are sequential." 
   | streamstats count as ageno by Age
   | eventstats count as totalcount 
   | eventstats max(ageno) as agecount by Age
   | eval myorder=round((ageno-0.5)/agecount,2)
   | sort 0 myorder User

   | rename COMMENT as "Assign every pair of records to a group, then stats the group together " 
   | streamstats count as recno
   | eval groupno = floor( ( 1+ recno ) / 2 )
   | stats list(User) as User list(Age) as Age by groupno

   | rename COMMENT as "Set time, Get rid of unneeded fields, then copy them to the new index."
   | eval _time = now() 
   | table _time User Age 
   | collect .... send to desired index...

To work, the above depends on no one Age predominating in the data set.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...