Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data masking

svemurilv
Path Finder
‎07-11-2017 10:30 AM

HI ,
i want to masking the cookie value in the the log file i just write the regx but its not displaying the data before the masking vale.

2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}

2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTNjNTY3MTAtYzg1Yy00ZjY3LWJmZjYtM2EyYzM0Njk2MjFjIiwiYWNjb3VudElEIjoiQU41OTM3OTgtNTMzNi0wNTAyLTM3MTEtSkkwMTIwMTZLSTk4Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk3OTU1MDZ9.XaL4OaNWXT1p_ADnPYLFHN1Jl_fLlHEmbG9Q25YaMF8iRJMPYJuWF-2dxZ9oMJUyZiPbEdQzkdRcGvWvE0xl5faM-LKB2g-r_6bTt1ArLaLTt3uzXZ0GX5V6OlQyvHlUZPFlvKQpkC_3Sb_Gg9p4C4vee-oPHNpMm721ba_cUM5MC7VHcmepQQi3zP0zYh2U3kjTa8D88pAW1mmJF1INvhZ_T3tJMMqEG5YnxUfE75ETJY9brS7KF3VAC6GyEhpbw2QSJBvkj6FmnyGM7O7xn84LGXUgYgZiHMuNXQb0so6-Zpy9Ax88bDi2QMo59mj6nGM4zuyq6IqrBGJonDJ_5g; path=/; maxAge=-1; domain=}

code:

| rex mode=sed  "s/[^{]+{(\w+)=([^};]*)/=1XXXXXX/g"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-11-2017 11:02 AM

Try this

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

View solution in original post

Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-11-2017 11:02 AM

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

0 Karma
Reply
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-11-2017 11:02 AM

Try this

| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"

Reply
Solved! Jump to solution

svemurilv
Path Finder
‎07-12-2017 06:51 AM

Hi ,
here i just want to mask only the Cookie session values oly not other string , even i need to tesxt "adding Cookie{PF_JWT=" and the end of the line laso "path=/; maxAge=-1; domain=}"

2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}

only bold code should mask

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-12-2017 07:10 AM

Try this,

| makeresults | eval test="2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA; path=/; maxAge=-1; domain=}" |rex field=test mode=sed "s/Cookie{PF_JWT=`(\S+)/Cookie{PF_JWT=xxxxxx;/g"

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-11-2017 10:49 AM

I'm not sure the question your asking.. You want to mask the data but the data is not present in the logs?

Your sed method is only masking data at search time. If another user runs a search then the cookie data will be available. If you want to mask the data at index time (i.e. the data will be masked if anyone searches for it), you should do the following

props.conf

 [sourcetype]
 TRANSFORMS-1card = cookie_anon

transforms.conf

[cookie_anon]
 REGEX = [^{]+{(\w+)=([^};]*)
 DEST_KEY = _raw
 FORMAT = 1XXXXXX

Make sure to restart splunkd after making these changes

Reply
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Meet Duke Cyberwalker | A hero’s journey with Splunk

We like to say, the lightsaber is to Luke as Splunk is to Duke. Curious yet? Then read Eric Fusilero’s latest ...

The Future of Splunk Search is Here - See What’s New!

We’re excited to introduce two powerful new search features, now generally available for Splunk Cloud Platform ...