Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Anonymizing AWS S3 inputs to Splunk Cloud

sholt_fundrise
New Member
‎08-09-2018 12:01 PM

How can I anonymize certain fields from data inputs in Splunk Cloud when ingesting logs from AWS S3 buckets?

Tags (1)
0 Karma
Reply

sudosplunk
Motivator
‎08-09-2018 12:12 PM

Hi there,

You can make use of regex to look for fields and mask them with props.conf and transforms.conf files. Please provide some info about your architecture and some sample events if you want help with .conf settings.

Please refer to this link for instructions.

0 Karma
Reply

sholt_fundrise
New Member
‎08-09-2018 12:21 PM

Is that the same steps for Splunk Cloud as it is for Splunk Enterprise?
I'm looking at some CloudFront logs being ingested through an s3 bucket input into a Cloud instance. I found some notes at https://answers.splunk.com/answers/149597/im-struggling-with-how-i-should-be-doing-inputs-and-also-p... that might apply, but I've also found notes saying it's impossible to anonymize this data after indexing. Do I need to be transforming it with a sed script before even having Splunk Cloud in the picture, or is there a configuration i'm missing (field transform?)?

0 Karma
Reply

sudosplunk
Motivator
‎08-09-2018 12:41 PM

Per documentation, "To anonymize data with Splunk Cloud, you must configure a Splunk Enterprise instance as a heavy forwarder and anonymize the incoming data with that instance before sending it to Splunk Cloud. You can follow the instructions in this topic on the heavy forwarder."

Yes. Once data is indexed, you can't change it. You should mask your data before it touches indexers in cloud.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...