Splunk Search

Why are Props & transforms not taking effect when trying to hide ipclient?

virtuosoo
Explorer

Hello community,

I am trying to configure my props.conf and transforms.conf to hide ipclient when indexing data. I am doing all the configurations needed, but I find no effect after indexation. And I can't find my hidden values :

NB : I am indexing in a specific app in my project, and I've added in props and transform in the local file of this app, And I am choosing access_combined in the source_type when indexing data.

Here's my props.conf :

[access_combined]
TRANSFORMS-clientipindex = maskip_index

And here's my transforms.conf :

[maskip_index]
FORMAT = clientip_hidden::$1.".".$2.".x.x"     <= Here I am trying to hide the last two numbers of the ip address.
REGEX = ^([0-9]{1,3})\.([^.]*)\.([^.]*)\.([^.]*)
SOURCE_KEY = clientip

Any help please 😄 !

0 Karma
1 Solution

FrankVl
Ultra Champion

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

View solution in original post

FrankVl
Ultra Champion

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

virtuosoo
Explorer

You are amazing FrankVl :D...Thank youuuu

0 Karma

sudosplunk
Motivator

Can you provide some redacted events to see if the issue is with regex. Thx..

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...