Getting Data In

Why is Anonymize data not working?

vengisa
Loves-to-Learn Lots

Hello,

i am trying to anonymize data in forwarder using the below:

The data AABC123456789012 needs to be transformed to AABC12XXXXXX9012

The regex seems to be not working.

Any help is appreciated. 

Mar 31 13:34:56 10.209.7.69 Mar 31 13:34:56 1234567890_admin yia0WAM 65.92.243.116 eyuiopppp.***.com 123.55.000.88 - AABC123456789012 [31/Mar/2022:13:34:39 -0400] 'GET /me-and-***/***intranetstandards/_assets-responsive/v1/fonts/trtr/rtyruroop-ghjtltutt-webfont.woff HTTP/1.1' 200 29480 erty-tyunht.pg.uhg.com 31/Mar/2022:13:34:39.531 -0400 6163 text/plain; charset=UTF-8 "https://****.yyy.com/assets/hr/css/*******.min.css"

tranforms.conf

[abcbc_isam]
REGEX = 'AABC[0-9]{5,16}'
DEST_KEY = _raw
FORMAT = $1AABC[0-9]{2}XXXXXX[0-9]{4}$2

 

props.conf

[host::AE110501]
TRANSFORMS-set= abcbc_isam
disabled = false

Labels (3)
0 Karma

venky1544
Builder

Hi @vengisa 

you can try the sedcmd in props.conf and dont require in transform but this should go to indexer
SED script works at index time and executed on _raw field. so should be in indexer

first you can test the  sedcmd in a rex in a search: to check if masking is working 

your search |rex mode=sed field= _raw max_match=0 "s/(AABC)(\d{8})(\d{4})/$1XXXXXX$2/"

if it works 

Just write this is in props.conf . you do not need to write transforms.conf.

[websphere_trlog_sysout]

SEDCMD-replace=/(([\d+\-]+) ([\d+:]+))/XXXXXX/

and then restart the server.

Hope this helps

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you trying to do it on Universal Forwarder? It won't work. You have to do it on first "heavy" (based on a full splunk enterprise installation package) component in event's path. If you're sending events from UF's directly to indexers, do it on indexers. If you have an intermediate layer of HF's, do it on HF's.

0 Karma

vengisa
Loves-to-Learn Lots

Yes. I am using heavy forwarder -> indexer -> search head

0 Karma

PickleRick
SplunkTrust
SplunkTrust

And you put those props and transforms where?

0 Karma

somesoni2
Revered Legend

Give this a try

[abcbc_isam]
REGEX = (AABC)(\d{8})(\d{4})
DEST_KEY = _raw
FORMAT = $1XXXXXXXX$3
0 Karma

vengisa
Loves-to-Learn Lots

Nope. Still not working.. 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...