Our code leaked SSNs into our logs and they went into Splunk, so i'm trying to mask it. I tried it two ways (BTW, the regex works when i use it with | regex _raw= 😞
In etc/system/local/props.conf :
[source::/var/www/app/shared/log/production.log]
SEDCMD-ssn = s/(social_security_number..:..)\d{9}/\1[FILTERED]/g
In etc/system/local/props.conf :
[source::/var/www/app/shared/log/production.log]
TRANSFORMS-ssn = ssn_mask
and etc/system/local/transforms.conf :
[ssn_mask]
DEST_KEY = _raw
REGEX = (social_security_number..:..)\d{9}
FORMAT = $1[FILTERED]
Neither works. What am I missing? This is on 6.5.0.
... View more