Solved: Unable to anonymize / mask data using regex

zerolife · ‎04-11-2014

I'm trying to mask the IP address from the below sample syslog per the following guide but it's just not working. Is my regex expression wrong? I'm no regex guru so I'm generating the regex expression from online tools.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/Anonymizedatausingconfigurationfiles

Sample Log:
Apr 11 10:47:30 192.168.1.1 stingray_xml_slave: ....

pref.conf:

[syslog]
TRANSFORMS-anonymize = testing

transforms.conf:

[testing]
REGEX = \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
FORMAT = $1#####$2
DEST_KEY = _raw

I also tried the following Regex expresion generated by txt2re.com with no luck either:

((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])

somesoni2 · ‎04-11-2014

Try this.

props.conf

[syslog]
SEDCMD-ipaddress = s/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/xxxxx/g

no transforms.conf entries.

zerolife · ‎04-11-2014

I was an idiot, had mistyped props -> pref. thanks somesoni2 and Ayn for your help

Ayn · ‎04-11-2014

Any particular reason why you're using TRANSFORMS for this and not SEDCMD?

Also I'm assuming "pref.conf" is a typo?

...and finally where are you implementing this, on an indexer?

somesoni2 · ‎04-11-2014

Try this.

props.conf

[syslog]
SEDCMD-ipaddress = s/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/xxxxx/g

no transforms.conf entries.

zerolife · ‎04-11-2014

thanks for the try. However I rebooted Splunk and it's still not masking incoming syslog

Unable to anonymize / mask data using regex