Splunk Search

How to Mask Sensitive Data at end of the first line in a multiline event at index-time?

Communicator

I have a multiline event and want to mask the sensitive data at the end of line 1, in the below sample data any word after community. I have tried the below REGEX in transforms.conf, however, I have been unable to rewrite the entire transformed data back to _raw. Currently I don't care about about reformatting the event, as long as entire event gets re-written after masking. Any suggestions for REGEX?

props.conf

[snmptrap:generic]
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TRANSFORMS-community = maskCommunity

transforms.conf

[maskCommunity]
#REGEX = (.*community\s+)(\w+)(.*)
#REGEX = (?m)(.*community\s+)(\S+)\n(.*)
REGEX = (.*community\s+)(\S+)\n(.*)
DEST_KEY = _raw
FORMAT = $1xxxxx$3

Sample Data:

2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->;[traprec] TRAP, SNMP v1, community test#&0
        .1.3.6.1.4.1.6827.10.17.7.1 Enterprise Specific Trap (1035) Uptime: 22 days, 19:41:52.45
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.1 = INTEGER: 1
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.2 = INTEGER: 2
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.3 = STRING: "This is fake"

2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->;[traprec]) TRAP, SNMP v1, community test1
        .1.3.6.1.4.1.6827.10.17.7.2 Enterprise Specific Trap (1034) Uptime: 22 days, 19:41:53.07
        .1.3.6.1.4.1.6827.10.17.3.1.1.1.1 = INTEGER: 1

2015-09-29 11:39:19 172.22.2.92(via UDP: [trapforwarder]:162->[traprec]) TRAP, SNMP v1, community test2
        .1.3.6.1.4.1.321.2.1 Enterprise Specific Trap (3) Uptime: 167 days, 1:50:11.60

The best result so far I have seen with the above REGEX is as below:

2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->;[traprec] TRAP, SNMP v1, community xxxxx   .1.3.6.1.4.1.6827.10.17.7.1 Enterprise Specific Trap (1035) Uptime: 22 days, 19:41:52.45
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try the s flag.

REGEX = (?s)(.*community\s+)(\S+)\n(.*)
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

Try the s flag.

REGEX = (?s)(.*community\s+)(\S+)\n(.*)
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Communicator

That worked. I removed \n from my REGEX and it preserved the formatting too.

REGEX = (?s)(.*community\s+)(\S+)(.*)

Thanks,

0 Karma