Splunk Search

Data masking

svemurilv
Path Finder

HI ,
i want to masking the cookie value in the the log file i just write the regx but its not displaying the data before the masking vale.

2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}

2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTNjNTY3MTAtYzg1Yy00ZjY3LWJmZjYtM2EyYzM0Njk2MjFjIiwiYWNjb3VudElEIjoiQU41OTM3OTgtNTMzNi0wNTAyLTM3MTEtSkkwMTIwMTZLSTk4Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk3OTU1MDZ9.XaL4OaNWXT1p_ADnPYLFHN1Jl_fLlHEmbG9Q25YaMF8iRJMPYJuWF-2dxZ9oMJUyZiPbEdQzkdRcGvWvE0xl5faM-LKB2g-r_6bTt1ArLaLTt3uzXZ0GX5V6OlQyvHlUZPFlvKQpkC_3Sb_Gg9p4C4vee-oPHNpMm721ba_cUM5MC7VHcmepQQi3zP0zYh2U3kjTa8D88pAW1mmJF1INvhZ_T3tJMMqEG5YnxUfE75ETJY9brS7KF3VAC6GyEhpbw2QSJBvkj6FmnyGM7O7xn84LGXUgYgZiHMuNXQb0so6-Zpy9Ax88bDi2QMo59mj6nGM4zuyq6IqrBGJonDJ_5g; path=/; maxAge=-1; domain=}

code:

| rex mode=sed  "s/[^{]+{(\w+)=([^};]*)/=1XXXXXX/g" 
0 Karma
1 Solution

sbbadri
Motivator

Try this

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

View solution in original post

sbbadri
Motivator

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

0 Karma

sbbadri
Motivator

Try this

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

svemurilv
Path Finder

Hi ,
here i just want to mask only the Cookie session values oly not other string , even i need to tesxt "adding Cookie{PF_JWT=" and the end of the line laso "path=/; maxAge=-1; domain=}"

2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}

only bold code should mask

0 Karma

sbbadri
Motivator

Try this,

| makeresults | eval test="2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}" |rex field=test mode=sed "s/Cookie{PF_JWT=`(\S+)/Cookie{PF_JWT=xxxxxx;/g"

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm not sure the question your asking.. You want to mask the data but the data is not present in the logs?

Your sed method is only masking data at search time. If another user runs a search then the cookie data will be available. If you want to mask the data at index time (i.e. the data will be masked if anyone searches for it), you should do the following

props.conf

 [sourcetype]
 TRANSFORMS-1card = cookie_anon

transforms.conf

[cookie_anon]
 REGEX = [^{]+{(\w+)=([^};]*)
 DEST_KEY = _raw
 FORMAT = 1XXXXXX

Make sure to restart splunkd after making these changes

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...