Splunk Search

How to obfuscate a username but keep a unique value for stats

jpass
Contributor

I am using HTTP Event Collector & Splunk logging for java (logback). The events contain a username (e-mail address) which needs to be obfuscated. I'm looking for suggestions on how to best do this while still allowing me to do stats by username. For example, replace username with some sort of id? My gut tells me the best way would be to ask the app team handle this before logs are generated.

Thank you.

Tags (1)
0 Karma

fsolercasanova
Explorer

Hello,

This is a large topic with a variety of ways to implement it. There was a .conf presentation detailing a few different ways and to do this. You seem to be looking for psuedononymous obfuscation so look out for those options in the slides: https://conf.splunk.com/files/2017/slides/data-obfuscation-and-field-protection-in-splunk.pdf

edit: Here is the above video for better context:
https://conf.splunk.com/files/2017/recordings/data-obfuscation-and-field-protection-in-splunk.mp4

Splunk provides their own documentation at: https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/Anonymizedata

There, they detail one of the easiest ways using a props and transforms regex :

To mask sensitive data, you need the following items:

  • Data that you want to anonymize
  • An understanding of how regular expressions work.
  • An inputs.conf file, with a configuration that tells Splunk Enterprise where this data is located
  • A transforms.conf file that does the data masking
  • A props.conf file that references the transforms.conf file for the data that you want to mask

Finally, If you only want to obfuscate the data at search time you can implement a data scrub inline with your search

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Scrub

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!