Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Masking SSN info into splunk at index time

mike7860
Explorer
‎01-25-2013 06:24 AM

I would like to know how to mask SSN information in splunk at index time. There is a documentation available on the splunk homepage. But the question arises that whether configurations of props.conf and transforms.conf be done at the indexer side as we have a multi-tiered splunk network? Then, the other question is how do I compile a rex expression for masking SSN data from the followin log source:

index=web sourcetype=weblogic_app ssn





/env:Header
env:Body

ns2:ContractsWithProductInfoResponse
ns2:ParticipantDetails
*ns2:Pin2895237/ns2:Pin
ns2:SSN/ns2:SSN*

Tags (1)
Reply

yannK
Splunk Employee
Splunk Employee
‎10-15-2014 09:42 AM

try the sedcmd command in the props.conf, and deploy on your parsing instances :
see http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Anonymizedatausingconfigurationfiles

  • on all indexers
  • on all heavy forwarders

  • in case of csv/iis or INDEXED_EXTRACTION sourcetypes (since splunk 6.1), on the forwarders (even the Universal and Lightweight)

    [mysourcetype]
    SEDCMD-hidessn=s/(GovernmentIDNumber: SSN: \d{3})(\d{6})/\1xxxxxxx/g

GovernmentIDNumber: SSN: 555666666
-> GovernmentIDNumber: SSN: 555xxxxxxx

Reply

johnhsu
Observer
‎02-07-2014 09:41 AM

Regex for masking Social Security Number in XML TAG

Result:

<relatedPolicies />
<socialSecurityNumber>###-##-1234</socialSecurityNumber>
<ssnRefusedIndicator>false</ssnRefusedIndicator>

transforms.conf:

[SSN-anonymizer]
REGEX = (?ms)^(.*)\<[sS]ocialSecurityNumber>\d{3}-?\d{2}-?(\d{4}.*)$
FORMAT = $1<socialSecurityNumber>###-##-$2
DEST_KEY = _raw

Note:
In Splunk V6.0.1
In my testing, masking function failed if the record is very large, for example 15KB, and SSB is out of 100 lines (or some position) .

Thanks
Sincerely
John Hsu

0 Karma
Reply

johnhsu
Observer
‎02-07-2014 10:23 AM

Sorry! Try again

should be

REGEX = (?ms)^(.\*)\<[sS]ocialSecurityNumber>\d{3}-?\d{2}-?(\d{4}.\*)$

Thanks
Sincerely
John Hsu

0 Karma
Reply

Lowell
Super Champion
‎07-03-2014 08:06 AM

Johnsu, just so you know. You can edit your own answers. That's preferred over posting new ones. Thanks for taking the time to post your corrections!

Reply

johnhsu
Observer
‎02-07-2014 10:06 AM

Corrected: Don't know why missed the star "" after those two dot in post
Try post again:
"REGEX = (?ms)^(.)<[sS]ocialSecurityNumber>\d{3}-?\d{2}-?(\d{4}.*)$"

Thanks
Sincerely
John Hsu

0 Karma
Reply

rgcurry
Contributor
‎01-25-2013 07:44 AM

Check out the Splunk Doc page at

http://docs.splunk.com/Documentation/Splunk/4.2.1/Data/Anonymizedatausingconfigurationfiles

It includes a SED example that fits closely to what you are wanting to do. The only difference is your data is XML formatted versus the 'straight' text of the doc example but that is not big deal to deal with in the RegEx you'd use to pinpoint your data to mask.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...