Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Mask Sensitive Data at end of the first line in a multiline event at index-time?

bohrasaurabh
Communicator
‎09-29-2015 09:31 AM

I have a multiline event and want to mask the sensitive data at the end of line 1, in the below sample data any word after community. I have tried the below REGEX in transforms.conf, however, I have been unable to rewrite the entire transformed data back to _raw. Currently I don't care about about reformatting the event, as long as entire event gets re-written after masking. Any suggestions for REGEX?

props.conf

[snmptrap:generic]
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TRANSFORMS-community = maskCommunity

transforms.conf

[maskCommunity]
#REGEX = (.*community\s+)(\w+)(.*)
#REGEX = (?m)(.*community\s+)(\S+)\n(.*)
REGEX = (.*community\s+)(\S+)\n(.*)
DEST_KEY = _raw
FORMAT = $1xxxxx$3

Sample Data:

2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->;[traprec] TRAP, SNMP v1, community test#&0
        .1.3.6.1.4.1.6827.10.17.7.1 Enterprise Specific Trap (1035) Uptime: 22 days, 19:41:52.45
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.1 = INTEGER: 1
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.2 = INTEGER: 2
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.3 = STRING: "This is fake"

2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->;[traprec]) TRAP, SNMP v1, community test1
        .1.3.6.1.4.1.6827.10.17.7.2 Enterprise Specific Trap (1034) Uptime: 22 days, 19:41:53.07
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.1 = INTEGER: 1

2015-09-29 11:39:19 172.22.2.92(via UDP: [trapforwarder]:162->[traprec]) TRAP, SNMP v1, community test2
        .1.3.6.1.4.1.321.2.1 Enterprise Specific Trap (3) Uptime: 167 days, 1:50:11.60

The best result so far I have seen with the above REGEX is as below:

2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->;[traprec] TRAP, SNMP v1, community xxxxx   .1.3.6.1.4.1.6827.10.17.7.1 Enterprise Specific Trap (1035) Uptime: 22 days, 19:41:52.45
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2015 09:58 AM

Try the s flag.

REGEX = (?s)(.*community\s+)(\S+)\n(.*)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2015 09:58 AM

Try the s flag.

REGEX = (?s)(.*community\s+)(\S+)\n(.*)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

bohrasaurabh
Communicator
‎09-29-2015 10:28 AM

That worked. I removed \n from my REGEX and it preserved the formatting too.

REGEX = (?s)(.*community\s+)(\S+)(.*)

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...