Getting Data In

Why is Anonymize data not working?

vengisa
Loves-to-Learn Lots

Hello,

i am trying to anonymize data in forwarder using the below:

The data AABC123456789012 needs to be transformed to AABC12XXXXXX9012

The regex seems to be not working.

Any help is appreciated. 

Mar 31 13:34:56 10.209.7.69 Mar 31 13:34:56 1234567890_admin yia0WAM 65.92.243.116 eyuiopppp.***.com 123.55.000.88 - AABC123456789012 [31/Mar/2022:13:34:39 -0400] 'GET /me-and-***/***intranetstandards/_assets-responsive/v1/fonts/trtr/rtyruroop-ghjtltutt-webfont.woff HTTP/1.1' 200 29480 erty-tyunht.pg.uhg.com 31/Mar/2022:13:34:39.531 -0400 6163 text/plain; charset=UTF-8 "https://****.yyy.com/assets/hr/css/*******.min.css"

tranforms.conf

[abcbc_isam]
REGEX = 'AABC[0-9]{5,16}'
DEST_KEY = _raw
FORMAT = $1AABC[0-9]{2}XXXXXX[0-9]{4}$2

 

props.conf

[host::AE110501]
TRANSFORMS-set= abcbc_isam
disabled = false

Labels (3)
0 Karma

venky1544
Builder

Hi @vengisa 

you can try the sedcmd in props.conf and dont require in transform but this should go to indexer
SED script works at index time and executed on _raw field. so should be in indexer

first you can test the  sedcmd in a rex in a search: to check if masking is working 

your search |rex mode=sed field= _raw max_match=0 "s/(AABC)(\d{8})(\d{4})/$1XXXXXX$2/"

if it works 

Just write this is in props.conf . you do not need to write transforms.conf.

[websphere_trlog_sysout]

SEDCMD-replace=/(([\d+\-]+) ([\d+:]+))/XXXXXX/

and then restart the server.

Hope this helps

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you trying to do it on Universal Forwarder? It won't work. You have to do it on first "heavy" (based on a full splunk enterprise installation package) component in event's path. If you're sending events from UF's directly to indexers, do it on indexers. If you have an intermediate layer of HF's, do it on HF's.

0 Karma

vengisa
Loves-to-Learn Lots

Yes. I am using heavy forwarder -> indexer -> search head

0 Karma

PickleRick
SplunkTrust
SplunkTrust

And you put those props and transforms where?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

[abcbc_isam]
REGEX = (AABC)(\d{8})(\d{4})
DEST_KEY = _raw
FORMAT = $1XXXXXXXX$3
0 Karma

vengisa
Loves-to-Learn Lots

Nope. Still not working.. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...