Splunk Enterprise Security

How to tune the Splunk App for Enterprise Security to prevent our web logs from being triggered as Personally Identifiable Information Detection?


Hi Everyone,

I am still learning Splunk and Enterprise Security and I am working on a problem with Splunk App for Enterprise Security alerting on hundreds of "Personally Identifiable Information Detected" events. ES is correctly identifying what looks like credit card data, however, what ES is identifying is part of the URL string &ranreq=0.4055620639119297 from our web logs. What would be the best way to tune these events so they are no longer trigger personally identifiable information detected events? Would it be best to build a regex that will match req=0. and disregard the log?

Any help would be appreciated.

Kind regards,


NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time



New Member

this is useful thanks Dirkmeeuwsen

0 Karma


We had the same things happening and this was our thought process:

  • Try to narrow it down to specific traffic - You might care more about this if its in your DMZ compared to users' traffic logs
  • narrow it down to a specific direction of traffic where the source is external (or internal depending on your use case)
  • tweak the threshold that it fires on; only have it trigger if its above a certain count of events in a giving time frame
  • you may be able to use 'rex' in the search to do on-the-fly regex for that string (if you see that same string consistently)
  • disable it all together and revisit it later

I know it's not a definitive answer, but might help you make some decisions! Or help someone else with a similar issue.

Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...