Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Props & transforms not taking effect when trying to hide ipclient?

virtuosoo
Explorer
‎11-16-2018 07:35 AM

Hello community,

I am trying to configure my props.conf and transforms.conf to hide ipclient when indexing data. I am doing all the configurations needed, but I find no effect after indexation. And I can't find my hidden values :

NB : I am indexing in a specific app in my project, and I've added in props and transform in the local file of this app, And I am choosing access_combined in the source_type when indexing data.

Here's my props.conf :

[access_combined]
TRANSFORMS-clientipindex = maskip_index

And here's my transforms.conf : 

[maskip_index]
FORMAT = clientip_hidden::$1.".".$2.".x.x"     <= Here I am trying to hide the last two numbers of the ip address.
REGEX = ^([0-9]{1,3})\.([^.]*)\.([^.]*)\.([^.]*)
SOURCE_KEY = clientip

Any help please 😄 !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 08:14 AM

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 08:14 AM

You are doing a TRANSFORMS on SOURCE_KEY 'clientip'. I don't think that is available as a field at indextime. And anyway such a transforms would not change the raw event, so the ip address would still be fully visible there.

You are probably better off doing a SEDCMD in props.conf (assuming you have the client ip right at the start of your logs, as usual with access_combined I believe).

SEDCMD-mask_ip = s/^(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}/\1.\2.x.x/

Reply
Solved! Jump to solution

virtuosoo
Explorer
‎11-16-2018 08:33 AM

You are amazing FrankVl :D...Thank youuuu

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎11-16-2018 07:58 AM

Can you provide some redacted events to see if the issue is with regex. Thx..

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...