Splunk Enterprise

Anonymizing (Masking) Data Using SEDCMD

computermathguy
Path Finder

As a test, I first created some credit card numbers using a python script.

I placed the script, along with inputs and props, on the search head. I only placed props on the indexers.

The following SEDCMD will  mask the 1st and 3rd set of 4-digits. The two groups (2nd and 4th set of 4-digits) will not be masked.

props:
[cc_generator]
SEDCMD-maskcc = s/\d{4}-(\d{4})-\d{4}-(\d{4})/xxxx-\1-xxxx-\2/g 

inputs:
[script://./bin/my_cc_generator.py]
interval = */30 * * * *
sourcetype = cc_generator
disabled = 0
index = mypython

output:
xxxx-9874-xxxx-9484
Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is there a question here?

0 Karma

computermathguy
Path Finder

Yes..... Is there a way to implement masking globally?  If not, I assume we to add each sourcetype in props.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You could attach your props to some wildcarded host or source stanza but that's something I'd be very careful about. It's a very non-obvious configuration and can be a huge pain to debug issues.

0 Karma
Get Updates on the Splunk Community!

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...