Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you replace _raw values for multiple fields?

jgbricker
Contributor
‎04-01-2019 01:40 PM

I'm trying to mask multiple fields from the raw results. Only one of the fields ends up masked in the raw. It seems I need to either do one statement that gets them all or something else. I've experimented with using a pattern with pipes and also naming the EVAL-_raw differently like EVAL-_raw1 = and EVAL-raw2 = but have not found a winning combination. If I only try to mask one value I have no issue, so I believe it has to do with me trying doing the replace on more than one _raw string at once. I'm really hoping there is an answer other than deleting logs out. Any assistance is appreciated. These events are already indexed and I just want to mask the sensitive data at search time via props.conf on SH.

[wineventlog]

##DOB mask
EXTRACT-DOB = \<DateOfBirth\>(?<DateOfBirth>[^\<]+)\<\/DateOfBirth\>
EVAL-DOB = if(isnull(DateOfBirth),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<DateOfBirth\>(?<DateOfBirth>[^\<]+)\<\/DateOfBirth\>","<DateOfBirth>##masked##</DateOfBirth>")

##SSN mask
EXTRACT-SSN = \<SSN\>(?<SSN>[^\<]+)\<\/SSN\>
EVAL-SSN = if(isnull(SSN),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<SSN\>[^\<]+\<\/SSN\>","<SSN>##masked##</SSN>")

##LicenseNumber mask
EXTRACT-LicenseNumber = \<LicenseNumber\>(?<LicenseNumber>[^\<]+)\<\/LicenseNumber\>
EVAL-LicenseNumber = if(isnull(LicenseNumber),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<LicenseNumber\>[^\<]+\<\/LicenseNumber\>","<LicenseNumber>##masked##</LicenseNumber>")

##VIN mask
EXTRACT-VIN = \<VIN\>(?<VIN>[^\<]+)\<\/VIN\>
EVAL-VIN = if(isnull(VIN),NULL,"##masked##")
EVAL-_raw = replace(_raw,"\<VIN\>[^\<]+\<\/VIN\>","<VIN>##masked##</VIN>")
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jgbricker
Contributor
‎04-03-2019 01:23 PM

The following props.conf worked in all modes (Verbose, Smart, Fast). It also redacts the data in all display modes such as List or Raw. I know the data will remain on disk and it would be better to do at index time. This is a good option for a quick mask with follow up conversations pending.

[wineventlog]


EXTRACT-DOB = \<DateOfBirth\>(?<DateOfBirth>[^\<]+)\<\/DateOfBirth\>
EVAL-DateOfBirth = if(isnull(DateOfBirth),NULL,"<REDACTED>")


EXTRACT-SSN = \<SSN\>(?<SSN>[^\<]+)\<\/SSN\>
EVAL-SSN = if(isnull(SSN),NULL,"<REDACTED>")


EXTRACT-LicenseNumber = \<LicenseNumber\>(?<LicenseNumber>[^\<]+)\<\/LicenseNumber\>
EVAL-LicenseNumber = if(isnull(LicenseNumber),NULL,"<REDACTED>")


EXTRACT-VIN = \<VIN\>(?<VIN>[^\<]+)\<\/VIN\>
EVAL-VIN = if(isnull(VIN),NULL,"<REDACTED>")

#Replace raw

EVAL-_raw = replace(_raw,"<(DateOfBirth|SSN|LicenseNumber|VIN)>([^\<]+)","<\1><REDACTED>")
EVAL-Message = replace(Message,"(.+)","<REDACTED>")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jgbricker
Contributor
‎04-03-2019 01:23 PM

The following props.conf worked in all modes (Verbose, Smart, Fast). It also redacts the data in all display modes such as List or Raw. I know the data will remain on disk and it would be better to do at index time. This is a good option for a quick mask with follow up conversations pending.

[wineventlog]


EXTRACT-DOB = \<DateOfBirth\>(?<DateOfBirth>[^\<]+)\<\/DateOfBirth\>
EVAL-DateOfBirth = if(isnull(DateOfBirth),NULL,"<REDACTED>")


EXTRACT-SSN = \<SSN\>(?<SSN>[^\<]+)\<\/SSN\>
EVAL-SSN = if(isnull(SSN),NULL,"<REDACTED>")


EXTRACT-LicenseNumber = \<LicenseNumber\>(?<LicenseNumber>[^\<]+)\<\/LicenseNumber\>
EVAL-LicenseNumber = if(isnull(LicenseNumber),NULL,"<REDACTED>")


EXTRACT-VIN = \<VIN\>(?<VIN>[^\<]+)\<\/VIN\>
EVAL-VIN = if(isnull(VIN),NULL,"<REDACTED>")

#Replace raw

EVAL-_raw = replace(_raw,"<(DateOfBirth|SSN|LicenseNumber|VIN)>([^\<]+)","<\1><REDACTED>")
EVAL-Message = replace(Message,"(.+)","<REDACTED>")
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-01-2019 09:54 PM

There is no sense doing this at search time; do it at index-time like this:

[wineventlog]
SEDCMD-StripPII = s/<(DateOfBirth|SSN|LicenseNumber|VIN)>(.*?)<\/(DateOfBirth|SSN|LicenseNumber|VIN)>/<\1>##masked##<\\\3>/g

You can do it at search time similarly, like this (but I think that is silly, as it is trivially defeated):

[wineventlog]
EVAL-_raw = replace(_raw,"<(DateOfBirth|SSN|LicenseNumber|VIN)>(.*?)<\/(DateOfBirth|SSN|LicenseNumber|VIN)>", "<\1>###<\\\3>")
Reply
Solved! Jump to solution

jgbricker
Contributor
‎04-02-2019 05:19 AM

Thanks, this was to discover options after ingest other than pipe to delete or export, delete, re-ingest.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-01-2019 02:11 PM

Since all your eval trying to update same field (_raw), only last one would be effective. You can confirm that by running a btool command against that sourcetype.

Again, These search time mask will only apply if a user is running search on Smart/Verbose mode. If a user is running the search in fast mode, user can still see the original data. If you're OK with that fact, give this a try

[wineventlog]     
 ##DOB mask
 EXTRACT-DOB = \<DateOfBirth\>(?<DateOfBirth>[^\<]+)\<\/DateOfBirth\>
 EVAL-DOB = if(isnull(DateOfBirth),NULL,"##masked##")

 ##SSN mask
 EXTRACT-SSN = \<SSN\>(?<SSN>[^\<]+)\<\/SSN\>
 EVAL-SSN = if(isnull(SSN),NULL,"##masked##") 

 ##LicenseNumber mask
 EXTRACT-LicenseNumber = \<LicenseNumber\>(?<LicenseNumber>[^\<]+)\<\/LicenseNumber\>
 EVAL-LicenseNumber = if(isnull(LicenseNumber),NULL,"##masked##") 

 ##VIN mask
 EXTRACT-VIN = \<VIN\>(?<VIN>[^\<]+)\<\/VIN\>
 EVAL-VIN = if(isnull(VIN),NULL,"##masked##")

 ##Raw data mask
 EVAL-_raw = replace(_raw,"(\<)(VIN|DateOfBirth|LicenseNumber|SSN)(\>)([^\<]+)", "\1\2\3##masked##")
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎10-21-2019 01:03 AM

Could you explain why this is not working in fast mode?

0 Karma
Reply
Solved! Jump to solution

jgbricker
Contributor
‎04-03-2019 01:25 PM

Thanks for help!

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...