Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Props & transforms not taking effect when trying to hide ipclient?

virtuosoo
Explorer
‎11-16-2018 07:35 AM

Hello community,

I am trying to configure my props.conf and transforms.conf to hide ipclient when indexing data. I am doing all the configurations needed, but I find no effect after indexation. And I can't find my hidden values :

NB : I am indexing in a specific app in my project, and I've added in props and transform in the local file of this app, And I am choosing access_combined in the source_type when indexing data.

Here's my props.conf :

[access_combined]
TRANSFORMS-clientipindex = maskip_index

And here's my transforms.conf : 

[maskip_index]
FORMAT = clientip_hidden::$1.".".$2.".x.x"     <= Here I am trying to hide the last two numbers of the ip address.
REGEX = ^([0-9]{1,3})\.([^.]*)\.([^.]*)\.([^.]*)
SOURCE_KEY = clientip

Any help please 😄 !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 08:14 AM

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 08:14 AM

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

Reply
Solved! Jump to solution

virtuosoo
Explorer
‎11-16-2018 08:33 AM

You are amazing FrankVl :D...Thank youuuu

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎11-16-2018 07:58 AM

Can you provide some redacted events to see if the issue is with regex. Thx..

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...