Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Anonymize data not working?

vengisa
Loves-to-Learn Lots
‎04-01-2022 10:20 AM

Hello,

i am trying to anonymize data in forwarder using the below:

The data AABC123456789012 needs to be transformed to AABC12XXXXXX9012

The regex seems to be not working.

Any help is appreciated. 

Mar 31 13:34:56 10.209.7.69 Mar 31 13:34:56 1234567890_admin yia0WAM 65.92.243.116 eyuiopppp.***.com 123.55.000.88 - AABC123456789012 [31/Mar/2022:13:34:39 -0400] 'GET /me-and-***/***intranetstandards/_assets-responsive/v1/fonts/trtr/rtyruroop-ghjtltutt-webfont.woff HTTP/1.1' 200 29480 erty-tyunht.pg.uhg.com 31/Mar/2022:13:34:39.531 -0400 6163 text/plain; charset=UTF-8 "https://****.yyy.com/assets/hr/css/*******.min.css"

tranforms.conf

[abcbc_isam]
REGEX = 'AABC[0-9]{5,16}'
DEST_KEY = _raw
FORMAT = $1AABC[0-9]{2}XXXXXX[0-9]{4}$2

 

props.conf

[host::AE110501]
TRANSFORMS-set= abcbc_isam
disabled = false

Labels (3)
0 Karma
Reply

venky1544
Builder
‎04-04-2022 07:24 AM

Hi @vengisa 

you can try the sedcmd in props.conf and dont require in transform but this should go to indexer
SED script works at index time and executed on _raw field. so should be in indexer

first you can test the  sedcmd in a rex in a search: to check if masking is working 

your search |rex mode=sed field= _raw max_match=0 "s/(AABC)(\d{8})(\d{4})/$1XXXXXX$2/"

if it works 

Just write this is in props.conf . you do not need to write transforms.conf.

[websphere_trlog_sysout]

SEDCMD-replace=/(([\d+\-]+) ([\d+:]+))/XXXXXX/

and then restart the server.

Hope this helps

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2022 06:28 AM

Are you trying to do it on Universal Forwarder? It won't work. You have to do it on first "heavy" (based on a full splunk enterprise installation package) component in event's path. If you're sending events from UF's directly to indexers, do it on indexers. If you have an intermediate layer of HF's, do it on HF's.

0 Karma
Reply

vengisa
Loves-to-Learn Lots
‎04-08-2022 09:37 AM

Yes. I am using heavy forwarder -> indexer -> search head

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2022 09:50 AM

And you put those props and transforms where?

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2022 11:09 AM

Give this a try

[abcbc_isam]
REGEX = (AABC)(\d{8})(\d{4})
DEST_KEY = _raw
FORMAT = $1XXXXXXXX$3
0 Karma
Reply

vengisa
Loves-to-Learn Lots
‎04-04-2022 06:24 AM

Nope. Still not working.. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...