Getting Data In

Trying to Anonymise data using SED command

Venkat_16
Contributor

I have been trying out to Anonymise below logs using SED function,but its not wokring, Please find the use case below:

Input:

10.192.1.46 - - [30/Jul/2014:23:59:15] "POST /flower_store/order.do HTTP/1.1" 200 13849 "http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=SD5SL10FF8ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 1463 2971

Output:

10.192.1.46 - - [30/Jul/2014:23:59:15] "POST /flower_store/order.do HTTP/1.1" 200 13849 "http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=#####10FF8ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 1463 2971

Have deployed the below configuration in Indexer as using Sed command:

sourcetype is testing.

props.conf

[testing]
SEDCMD-testing = s/JSESSIONID=\w{2}\d\w{2}\d{2}\w{2}/JSESSIONID=#####\1/g

0 Karma
1 Solution

mayurr98
Super Champion

hey try this run anywhere search

| makeresults | eval raw="10.192.1.46 - - [30/Jul/2014:23:59:15] \"POST /flower_store/order.do HTTP/1.1\" 200 13849 \"http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=SD5SL10FF8ADFF3\" \"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10\" 1463 2971" | rex field=raw mode=sed "s/JSESSIONID=(\w{2}\d\w{2})/JSESSIONID=#####/g"

Ideally in your environment you should wirte

[testing]
SEDCMD-testing = s/JSESSIONID=(\w{2}\d\w{2})/JSESSIONID=#####/g

let me know if this helps !

View solution in original post

mayurr98
Super Champion

hey try this run anywhere search

| makeresults | eval raw="10.192.1.46 - - [30/Jul/2014:23:59:15] \"POST /flower_store/order.do HTTP/1.1\" 200 13849 \"http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=SD5SL10FF8ADFF3\" \"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10\" 1463 2971" | rex field=raw mode=sed "s/JSESSIONID=(\w{2}\d\w{2})/JSESSIONID=#####/g"

Ideally in your environment you should wirte

[testing]
SEDCMD-testing = s/JSESSIONID=(\w{2}\d\w{2})/JSESSIONID=#####/g

let me know if this helps !

Venkat_16
Contributor

I guess all your answers helped me thanks alot for that...i liked this one beucase it helped us learn a new command....make results...thanks aton

0 Karma

493669
Super Champion

Can you try below:

[testing]
SEDCMD-testing = s/JSESSIONID=\w{2}\d\w{2}(\d{2}\w{2})/JSESSIONID=#####\1/g

Venkat_16
Contributor

Thanks a lot for your help!

0 Karma

horsefez
Motivator

Hi,

you were missing a capture group

take this regex:
s/JSESSIONID=\w{2}\d\w{2}(\d{2}\w{2})/JSESSIONID=#####\1/g

Venkat_16
Contributor

Thanks alot it works!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...