Getting Data In

How to mask SSN at index-time using SEDCMD in props.conf?

locose
Path Finder

I'm trying to mask SSN using the SEDCMD command, but it isn't working.

My search:

sourcetype = my_source_type   *SSN

returns

'Call_SSN'   '123456789'
'Ssn_bla'    '987654321'
'bla_SSN'   '123456789'

I updated the system/local/props.conf

[my_source_type]
SEDCMD-ssncall = s/=\d{5}(\d{4})/*SSN   xxxxx\1/g

But it's not masking it.

0 Karma

woodcock
Esteemed Legend

If you are using INDEXED_EXTRACTIONS to create those fields, then they are created at Index-Time in the time parsing portion of the pipeline that executes before the SEDCMD is executed. If you get SEDCMD working what should happen is that field _raw will be modified, but the INDEXED_EXTRACTIONS fields will still contain the pre-mod text.

0 Karma

MuS
SplunkTrust
SplunkTrust

This is way I told this before 😉 ->

Place this on the Splunk instance where the parsing happens
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi locose,

looks like the regex does not match your example events; this regex will match:

 [SsNn_]+.+?['\s]+\d+'

tested and working on https://regex101.com . So your props.conf should look like this:

[my_source_type]
SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g

Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings and restart Splunk; it will also only be applied to new events.

Hope this helps ...

cheers, MuS

0 Karma

locose
Path Finder

So my serach query is still

sourcetype = my_source_type SSN

I'm still getting

SsN_ENA
Call_SSN
BLA_sSN

in the search results

In the system/local/props.conf

 [my_source_type]
 SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx\1/g
0 Karma

MuS
SplunkTrust
SplunkTrust

take this run everywhere search which works:

| gentimes start=-1 | eval foo="'Call_SSN'   '123456789'
 'Ssn_bla'    '987654321'
 'bla_SSN'    '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN    xxxxx/g"

my provided SEDCMD will only replace the values NOT the fields.

0 Karma

locose
Path Finder

Hello MuS

unfortunately that didn't work

0 Karma

MuS
SplunkTrust
SplunkTrust

Can you tell what you did?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...