Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Data masking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI ,
i want to masking the cookie value in the the log file i just write the regx but its not displaying the data before the masking vale.
2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}
2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTNjNTY3MTAtYzg1Yy00ZjY3LWJmZjYtM2EyYzM0Njk2MjFjIiwiYWNjb3VudElEIjoiQU41OTM3OTgtNTMzNi0wNTAyLTM3MTEtSkkwMTIwMTZLSTk4Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk3OTU1MDZ9.XaL4OaNWXT1p_ADnPYLFHN1Jl_fLlHEmbG9Q25YaMF8iRJMPYJuWF-2dxZ9oMJUyZiPbEdQzkdRcGvWvE0xl5faM-LKB2g-r_6bTt1ArLaLTt3uzXZ0GX5V6OlQyvHlUZPFlvKQpkC_3Sb_Gg9p4C4vee-oPHNpMm721ba_cUM5MC7VHcmepQQi3zP0zYh2U3kjTa8D88pAW1mmJF1INvhZ_T3tJMMqEG5YnxUfE75ETJY9brS7KF3VAC6GyEhpbw2QSJBvkj6FmnyGM7O7xn84LGXUgYgZiHMuNXQb0so6-Zpy9Ax88bDi2QMo59mj6nGM4zuyq6IqrBGJonDJ_5g; path=/; maxAge=-1; domain=}
code:
| rex mode=sed "s/[^{]+{(\w+)=([^};]*)/=1XXXXXX/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
here i just want to mask only the Cookie session values oly not other string , even i need to tesxt "adding Cookie{PF_JWT=" and the end of the line laso "path=/; maxAge=-1; domain=}"
2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}
only bold code should mask
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this,
| makeresults | eval test="2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}" |rex field=test mode=sed "s/Cookie{PF_JWT=`(\S+)/Cookie{PF_JWT=xxxxxx;/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure the question your asking.. You want to mask the data but the data is not present in the logs?
Your sed method is only masking data at search time. If another user runs a search then the cookie data will be available. If you want to mask the data at index time (i.e. the data will be masked if anyone searches for it), you should do the following
props.conf
[sourcetype]
TRANSFORMS-1card = cookie_anon
transforms.conf
[cookie_anon]
REGEX = [^{]+{(\w+)=([^};]*)
DEST_KEY = _raw
FORMAT = 1XXXXXX
Make sure to restart splunkd after making these changes
What the End of Support for Splunk Add-on Builder Means for You
Solve, Learn, Repeat: New Puzzle Channel Now Live
Building Reliable Asset and Identity Frameworks in Splunk ES
