Hello,
i am trying to anonymize data in forwarder using the below:
The data AABC123456789012 needs to be transformed to AABC12XXXXXX9012
The regex seems to be not working.
Any help is appreciated.
Mar 31 13:34:56 10.209.7.69 Mar 31 13:34:56 1234567890_admin yia0WAM 65.92.243.116 eyuiopppp.***.com 123.55.000.88 - AABC123456789012 [31/Mar/2022:13:34:39 -0400] 'GET /me-and-***/***intranetstandards/_assets-responsive/v1/fonts/trtr/rtyruroop-ghjtltutt-webfont.woff HTTP/1.1' 200 29480 erty-tyunht.pg.uhg.com 31/Mar/2022:13:34:39.531 -0400 6163 text/plain; charset=UTF-8 "https://****.yyy.com/assets/hr/css/*******.min.css"
tranforms.conf
[abcbc_isam]
REGEX = 'AABC[0-9]{5,16}'
DEST_KEY = _raw
FORMAT = $1AABC[0-9]{2}XXXXXX[0-9]{4}$2
props.conf
[host::AE110501]
TRANSFORMS-set= abcbc_isam
disabled = false
Hi @vengisa
you can try the sedcmd in props.conf and dont require in transform but this should go to indexer
SED script works at index time and executed on _raw field. so should be in indexer
first you can test the sedcmd in a rex in a search: to check if masking is working
your search |rex mode=sed field= _raw max_match=0 "s/(AABC)(\d{8})(\d{4})/$1XXXXXX$2/"
if it works
Just write this is in props.conf . you do not need to write transforms.conf.
[websphere_trlog_sysout]
SEDCMD-replace=/(([\d+\-]+) ([\d+:]+))/XXXXXX/
and then restart the server.
Hope this helps
Are you trying to do it on Universal Forwarder? It won't work. You have to do it on first "heavy" (based on a full splunk enterprise installation package) component in event's path. If you're sending events from UF's directly to indexers, do it on indexers. If you have an intermediate layer of HF's, do it on HF's.
Yes. I am using heavy forwarder -> indexer -> search head
And you put those props and transforms where?
Give this a try
[abcbc_isam]
REGEX = (AABC)(\d{8})(\d{4})
DEST_KEY = _raw
FORMAT = $1XXXXXXXX$3
Nope. Still not working..