Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Props & transforms not taking effect when trying to hide ipclient?

virtuosoo
Explorer
‎11-16-2018 07:35 AM

Hello community,

I am trying to configure my props.conf and transforms.conf to hide ipclient when indexing data. I am doing all the configurations needed, but I find no effect after indexation. And I can't find my hidden values :

NB : I am indexing in a specific app in my project, and I've added in props and transform in the local file of this app, And I am choosing access_combined in the source_type when indexing data.

Here's my props.conf :

[access_combined]
TRANSFORMS-clientipindex = maskip_index

And here's my transforms.conf : 

[maskip_index]
FORMAT = clientip_hidden::$1.".".$2.".x.x"     <= Here I am trying to hide the last two numbers of the ip address.
REGEX = ^([0-9]{1,3})\.([^.]*)\.([^.]*)\.([^.]*)
SOURCE_KEY = clientip

Any help please 😄 !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 08:14 AM

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 08:14 AM

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

Reply
Solved! Jump to solution

virtuosoo
Explorer
‎11-16-2018 08:33 AM

You are amazing FrankVl :D...Thank youuuu

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎11-16-2018 07:58 AM

Can you provide some redacted events to see if the issue is with regex. Thx..

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...