Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i mask this data at index time?

u2s1e0n2
New Member
‎04-09-2017 08:21 PM

I will like to mask this data so that the password value is "XXXXXXXX". I have tried SEDCMD, scrub and transforms but I just couldn't get it done. Thanks for your help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎04-10-2017 01:51 AM

Index time means you can never recover the value again. Splunk's official documentation to anonymize data

  • Create an app (eg my_mask_app)
  • within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg probable_password_sourcetype)
  • within "local" directory, create props.conf and put the value for the above sourcetype

Example

[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
  • Now create transforms.conf in "local" and put the regex logic. Below is a sample only

Example

[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎04-10-2017 01:51 AM

Index time means you can never recover the value again. Splunk's official documentation to anonymize data

  • Create an app (eg my_mask_app)
  • within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg probable_password_sourcetype)
  • within "local" directory, create props.conf and put the value for the above sourcetype

Example

[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
  • Now create transforms.conf in "local" and put the regex logic. Below is a sample only

Example

[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw
0 Karma
Reply
Solved! Jump to solution

u2s1e0n2
New Member
‎04-10-2017 11:20 PM

Thanks @ koshyk for the insight. But I'm still having issues getting the sample data masked at index time.

Sample data to be masked : ns2:arg name="password" value="utTSsgTST9B"/
props.conf
[password_log]
TRANSFORMS-anonymize = password-anonymizer

transforms.conf
[password-anonymizer]
REGEX = (?m)^(.)"password"=\s\w+('[a-z0-9#])["/].)$
FORMAT = $1password=########$2
DEST_KEY = _raw

What am i doing wrong?
Thanks
-u

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎04-11-2017 12:55 AM

Good to see a sample data. Your regex seems wrong

Have a try below.

[password-anonymizer]
REGEX =(?m)^(.+)\svalue=\"([\w\W]+)\"(.*)$
FORMAT = $1 value=########$3
DEST_KEY = _raw

0 Karma
Reply
Solved! Jump to solution

u2s1e0n2
New Member
‎04-11-2017 07:19 AM

Thanks. It worked.

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎04-11-2017 07:39 AM

Please mark the answer as accepted if this works for you 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...