Splunk Search

data masking via transforms.conf and props.conf wont work?

patricianaguit
Explorer

After indexing the data, i've done some transforms.conf and props.conf configuration. The configuration masks the first 8 digits of the account number. Someone help me why its not working?

props.conf:
[transforms_vendor]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
TRANSFORMS-sample = anon_data

transforms.conf:
[anon_data]
REGEX = AcctID=\d{8}(\d{8})
FORMAT = $1AcctID=XXXXXXXX$2
DEST_KEY = _raw

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

At the very least your FORMAT has a problem. You only have one capture group in the text that I can see (though you may have put in more, and it has been formatted out because you didn't use the code formatting). It should be:

FORMAT = AcctID=XXXXXXXX$1

I would also use the suggestion from @MuS of the SEDCMDin props.conf:

SEDCMD-acctid = s/AcctID=\d{8}/AcctID=XXXXXXXX/g

View solution in original post

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

At the very least your FORMAT has a problem. You only have one capture group in the text that I can see (though you may have put in more, and it has been formatted out because you didn't use the code formatting). It should be:

FORMAT = AcctID=XXXXXXXX$1

I would also use the suggestion from @MuS of the SEDCMDin props.conf:

SEDCMD-acctid = s/AcctID=\d{8}/AcctID=XXXXXXXX/g

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi there,

as in the previous answer, while SEDCMD and the props/transforms approach can do the same at index time, the props/transforms way can also be used at search time. You write after indexing the data so this would be search time and therefore the props.conf should be REPORT-sample = anon_data instead of TRANSFORMS-sample = anon_data.

cheers, MuS

0 Karma

patricianaguit
Explorer

Thank you 🙂

0 Karma