Splunk Search

How can i mask this data at index time?

u2s1e0n2
New Member

I will like to mask this data so that the password value is "XXXXXXXX". I have tried SEDCMD, scrub and transforms but I just couldn't get it done. Thanks for your help

Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

Index time means you can never recover the value again. Splunk's official documentation to anonymize data

  • Create an app (eg my_mask_app)
  • within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg probable_password_sourcetype)
  • within "local" directory, create props.conf and put the value for the above sourcetype

Example

[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
  • Now create transforms.conf in "local" and put the regex logic. Below is a sample only

Example

[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw

View solution in original post

0 Karma

koshyk
Super Champion

Index time means you can never recover the value again. Splunk's official documentation to anonymize data

  • Create an app (eg my_mask_app)
  • within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg probable_password_sourcetype)
  • within "local" directory, create props.conf and put the value for the above sourcetype

Example

[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
  • Now create transforms.conf in "local" and put the regex logic. Below is a sample only

Example

[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw
0 Karma

u2s1e0n2
New Member

Thanks @ koshyk for the insight. But I'm still having issues getting the sample data masked at index time.

Sample data to be masked : ns2:arg name="password" value="utTSsgTST9B"/
props.conf
[password_log]
TRANSFORMS-anonymize = password-anonymizer

transforms.conf
[password-anonymizer]
REGEX = (?m)^(.)"password"=\s\w+('[a-z0-9#])["/].)$
FORMAT = $1password=########$2
DEST_KEY = _raw

What am i doing wrong?
Thanks
-u

0 Karma

koshyk
Super Champion

Good to see a sample data. Your regex seems wrong

Have a try below.

[password-anonymizer]
REGEX =(?m)^(.+)\svalue=\"([\w\W]+)\"(.*)$
FORMAT = $1 value=########$3
DEST_KEY = _raw

0 Karma

u2s1e0n2
New Member

Thanks. It worked.

0 Karma

DMohn
Motivator

Please mark the answer as accepted if this works for you :winking_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...