Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data masking

svemurilv
Path Finder
‎07-11-2017 10:30 AM

HI ,
i want to masking the cookie value in the the log file i just write the regx but its not displaying the data before the masking vale.

2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}

2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTNjNTY3MTAtYzg1Yy00ZjY3LWJmZjYtM2EyYzM0Njk2MjFjIiwiYWNjb3VudElEIjoiQU41OTM3OTgtNTMzNi0wNTAyLTM3MTEtSkkwMTIwMTZLSTk4Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk3OTU1MDZ9.XaL4OaNWXT1p_ADnPYLFHN1Jl_fLlHEmbG9Q25YaMF8iRJMPYJuWF-2dxZ9oMJUyZiPbEdQzkdRcGvWvE0xl5faM-LKB2g-r_6bTt1ArLaLTt3uzXZ0GX5V6OlQyvHlUZPFlvKQpkC_3Sb_Gg9p4C4vee-oPHNpMm721ba_cUM5MC7VHcmepQQi3zP0zYh2U3kjTa8D88pAW1mmJF1INvhZ_T3tJMMqEG5YnxUfE75ETJY9brS7KF3VAC6GyEhpbw2QSJBvkj6FmnyGM7O7xn84LGXUgYgZiHMuNXQb0so6-Zpy9Ax88bDi2QMo59mj6nGM4zuyq6IqrBGJonDJ_5g; path=/; maxAge=-1; domain=}

code:

| rex mode=sed  "s/[^{]+{(\w+)=([^};]*)/=1XXXXXX/g"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-11-2017 11:02 AM

Try this

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

View solution in original post

Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-11-2017 11:02 AM

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

0 Karma
Reply
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-11-2017 11:02 AM

Try this

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

Reply
Solved! Jump to solution

svemurilv
Path Finder
‎07-12-2017 06:51 AM

Hi ,
here i just want to mask only the Cookie session values oly not other string , even i need to tesxt "adding Cookie{PF_JWT=" and the end of the line laso "path=/; maxAge=-1; domain=}"

2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}

only bold code should mask

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-12-2017 07:10 AM

Try this,

| makeresults | eval test="2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}" |rex field=test mode=sed "s/Cookie{PF_JWT=`(\S+)/Cookie{PF_JWT=xxxxxx;/g"

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-11-2017 10:49 AM

I'm not sure the question your asking.. You want to mask the data but the data is not present in the logs?

Your sed method is only masking data at search time. If another user runs a search then the cookie data will be available. If you want to mask the data at index time (i.e. the data will be masked if anyone searches for it), you should do the following

props.conf

 [sourcetype]
 TRANSFORMS-1card = cookie_anon

transforms.conf

[cookie_anon]
 REGEX = [^{]+{(\w+)=([^};]*)
 DEST_KEY = _raw
 FORMAT = 1XXXXXX

Make sure to restart splunkd after making these changes

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...