Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using SEDCMD in Splunk Cloud

catchaj88
Explorer
‎12-19-2017 06:10 AM

Task: Mask PII data at Index Time

Current Setup: Universal forwards to forward logs to Splunk

Based on documentation, SEDCMD seems to be the best option to mask PII data at index time. How can I configure SEDCMD in Splunk Cloud.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-19-2017 07:41 AM

Your going to need backend access to apply SEDCMD.

Before doing this, why not just stream PII data to a new restricted index or even better, a restricted environment?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-19-2017 07:41 AM

Your going to need backend access to apply SEDCMD.

Before doing this, why not just stream PII data to a new restricted index or even better, a restricted environment?

0 Karma
Reply
Solved! Jump to solution

catchaj88
Explorer
‎12-19-2017 08:16 AM

@skoelpin

Thanks for the suggestion. We will be definitely using restricted indices for handling PII data.

However, my objective is to not have any sensitive data available in splunk at all. Do you have any suggestion to achieve that?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎12-19-2017 10:32 AM

Yes, if you want to take the added security then you should apply SEDCMD at index time. This will create a golden copy without the sensitive data.

This will require an indexer restart

Place this in your props.conf and restart splunkd. You will need to create a regular expression of your PII data and it will replace it with XXXXXXXXX. I you need help with the regex, you can post a sample (obviously not the real sample) and I can give you a hand. 

[sourcetype]
 sedcmd-removePII=s/<REGEX OF PII DATA>/XXXXXXXX/g

I would recommend testing this at search time first to make sure your sedcmd command is working correctly.

... | rex mode=sed s/<REGEX OF PII DATA>/XXXXXXXX/g

0 Karma
Reply
Solved! Jump to solution

catchaj88
Explorer
‎12-19-2017 10:34 AM

Thank you!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...