Getting Data In

Masking account numbers

KarlGechlik
Explorer

Hello we are trying to mask an account#'s last 5 digits. I have added this to props.conf

[annon]
TRANSFORMS-anonymize = hideacct-number

and this to transforms.conf

[hideacct-number]
REGEX=(.*AcctCode=\d{5}-).*
FORMAT=$1xxxxx

I stopped splunk and cleaned the index and then started it again and the account numbers are still there completely. What are we missing?

Update: I am using 4.2.3 and I am trying to mask the last 5 characters with X's. I am trying JSapienza's answer now and will keep you posted. Thanks!

Update2: That did not help. It does not change my data. I tried REPORT as well with the same results.

0 Karma
1 Solution

KarlGechlik
Explorer

Turns out it was a combination of JSapienza's answer and removing my header in props.conf:

props.conf:

EXTRACT- = .TraderID:(?.)

TRANSFORMS = hideacct-number

transforms.conf:

[hideacct-number]
DEST_KEY =_raw
REGEX=(.AcctCode=\d{5}-).
FORMAT=$1xxxxx

and apparently the DEST_KEY =_raw needs to be at the top of transforms.conf

View solution in original post

0 Karma

MicroAlpha
Explorer

Another way, albeit external and not free, is with a third-party masking tool for the data sources you would index into Splunk. I found this:

http://www.iri.com/blog/data-protection/secure-then-splunk-a-format-preserving-encryption-and-pseduo...

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Another, perhaps simpler, way of accomplishing this is by using SEDCMD. See http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatawithsed

KarlGechlik
Explorer

Turns out it was a combination of JSapienza's answer and removing my header in props.conf:

props.conf:

EXTRACT- = .TraderID:(?.)

TRANSFORMS = hideacct-number

transforms.conf:

[hideacct-number]
DEST_KEY =_raw
REGEX=(.AcctCode=\d{5}-).
FORMAT=$1xxxxx

and apparently the DEST_KEY =_raw needs to be at the top of transforms.conf

View solution in original post

0 Karma

gekoner
Communicator

Karl,
Can you provide some additional information? It is always helpful to understand what version you are running.

Also can explain in a little more detail what you are trying to do? Are you attempting to take an account number that is in the format ##### to replace the "numbers" with "xxxxx"?

0 Karma

JSapienza
Contributor

If I'm not mistaken, I think you need to set the DEST_KEY = _raw so the indexer knows to mask at index time from the raw event.

0 Karma

KarlGechlik
Explorer

This did not help. I added this to transforms.conf and it still does not modify the data in the field at all.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!