Security

Removal of the confidential data

uagraw01
Builder

Hello Splunkers!!

Below are the sample events I have in which I want to mask UserID field and Password field. There is no selected & interesting field is availble. I want to mask it from the raw event directly. Please suggest me solution from the UI by using rex mode command and second solution  by using the Props & transforms.conf from the backend .

 

Sample log:
 
<?xml version="1.0" encoding="UTF-8"?>
<HostMessage><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="no"?><UserMasterRequest><MessageID>25255620</MessageID><MessageCreated>2024-04-05T07:00:55Z</MessageCreated><OpCode>CHANGEPWD</OpCode><UserId>pnkof123</UserId><Password>Summer123</Password><PasswordExpiry>2024-06-09</PasswordExpiry></UserMasterRequest>]]><original_header><IfcLogHostMessage xsi:schemaLocation="http://vanderlande.com/FM/Gtw/GtwLogging/V1/0/0 GtwLogging_V1.0.0.xsd">
<MessageId>25255620</MessageId>
<MessageTimeStamp>2024-04-05T05:00:55Z</MessageTimeStamp>
<SenderFmInstanceName>CMP_GTW</SenderFmInstanceName>
<ReceiverFmInstanceName>FM_BPI</ReceiverFmInstanceName>
 
</IfcLogHostMessage></original_header></HostMessage>
Labels (1)
0 Karma

uagraw01
Builder

@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI.

| rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g"
| rex field=_raw mode=sed "s/UserId\>([A-Za-z0-9]+)/UserID/g"

One question, shall I apply in the same regex in transforms.conf ?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @uagraw01,

You can also use Ingest Actions on UI.

https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/DataIngest#Mask_with_regular_expression

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

ITWhisperer
SplunkTrust
SplunkTrust

rex has a mode option which can be set to sed to allow for edits to strings

rex - Splunk Documentation

props.conf has SEDCMD- stanzas which can do the editing before indexing

props.conf - Splunk Documentation

Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...