Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to mask sensitive data in search from any app in Splunk

cbright
Explorer
‎10-06-2015 09:07 AM

I have looked at answers for this already, but when I try any of them, my search still shows the unmasked data.

Sample data:

10.98.112.52 - myid [06/Oct/2015:09:42:39 -0400] "GET /mySeal/VUEIT/myPortal/ApplicationSelection/CheckDeatilsSSN?SSN=123-45-6789&TAXID=&RecipientType=Agent&_= HTTP/1.1" 200 22

Tried the following:

props.conf:

[source::WebProxy]
TRANSFORMS-anonymize = ssn-web-anonymizer

transfoms.conf:

[ssn-web-anonymizer]
REGEX = (?m)^(.*)SSN=\d\d\d\-\d\d\-\d\d\d\d(\&.*)$
FORMAT = $1SSN=###-##-####$2
DEST_KEY = _raw

Also tried:

props.conf:

[source::WebProxy]
SEDCMD-hidessn=s/(SSN=\d{3})\-(\d{2})\-(\d{4})/SSN=xxx\-xx\-xxxx/g

What am I doing wrong?

Again I need the data masked no matter where the search is being done.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-07-2015 06:01 AM

Data that has already been indexed in Splunk is immutable. If this were not so, Splunk would be fairly useless for compliance purposes. The best that you can do is to use the delete command to hide the data (as I said, it is immutable so it doesn't really get deleted but it does become unsearchable). You could use roles to limit who has access to the data.

One other crazy idea is to manually modify the data and then reindex it by sending into a Summary Index using the collect command and then use both indices in your searches until the data ages out like this:

index=normal_index OR index=my_SI_hack ...

This has the benefit of not costing you any license so you could slam 11 months of backlog in and not go over (and then delete the original events).

Reply

woodcock
Esteemed Legend
‎12-08-2015 08:03 AM

Did this explain what you were seeing?

0 Karma
Reply

cbright
Explorer
‎10-06-2015 09:18 AM

Again I need the data masked for already indexed data no matter where or how the search is being done.

It seems if this is not possible I would have to delete all data for the past 11 months and that really is not an acceptable option.

0 Karma
Reply

somesoni2
Revered Legend
‎10-06-2015 09:18 AM

Both your solution works fine for me. Did you make this changes to Indexer/Heavy forwarder and restarted the SPlunk instance in them??
Also, this will mask any future data only, historical data will remain as it is.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...