Task: Mask PII data at Index Time
Current Setup: Universal forwards to forward logs to Splunk
Based on documentation, SEDCMD seems to be the best option to mask PII data at index time. How can I configure SEDCMD in Splunk Cloud.
Your going to need backend access to apply SEDCMD.
Before doing this, why not just stream PII data to a new restricted index or even better, a restricted environment?
Your going to need backend access to apply SEDCMD.
Before doing this, why not just stream PII data to a new restricted index or even better, a restricted environment?
@skoelpin
Thanks for the suggestion. We will be definitely using restricted indices for handling PII data.
However, my objective is to not have any sensitive data available in splunk at all. Do you have any suggestion to achieve that?
Yes, if you want to take the added security then you should apply SEDCMD at index time. This will create a golden copy without the sensitive data.
This will require an indexer restart
Place this in your props.conf
and restart splunkd. You will need to create a regular expression of your PII data and it will replace it with XXXXXXXXX
. I you need help with the regex, you can post a sample (obviously not the real sample) and I can give you a hand.
[sourcetype]
sedcmd-removePII=s/<REGEX OF PII DATA>/XXXXXXXX/g
I would recommend testing this at search time first to make sure your sedcmd command is working correctly.
... | rex mode=sed s/<REGEX OF PII DATA>/XXXXXXXX/g
Thank you!