I'm trying to mask SSN using the SEDCMD command, but it isn't working.
My search:
sourcetype = my_source_type *SSN
returns
'Call_SSN' '123456789'
'Ssn_bla' '987654321'
'bla_SSN' '123456789'
I updated the system/local/props.conf
[my_source_type]
SEDCMD-ssncall = s/=\d{5}(\d{4})/*SSN xxxxx\1/g
But it's not masking it.
If you are using INDEXED_EXTRACTIONS
to create those fields, then they are created at Index-Time in the time parsing portion of the pipeline that executes before the SEDCMD is executed. If you get SEDCMD working what should happen is that field _raw
will be modified, but the INDEXED_EXTRACTIONS
fields will still contain the pre-mod text.
This is way I told this before 😉 ->
Place this on the Splunk instance where the parsing happens
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
Hi locose,
looks like the regex does not match your example events; this regex will match:
[SsNn_]+.+?['\s]+\d+'
tested and working on https://regex101.com . So your props.conf
should look like this:
[my_source_type]
SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx/g
Place this on the Splunk instance where the parsing happens http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings and restart Splunk; it will also only be applied to new events.
Hope this helps ...
cheers, MuS
So my serach query is still
sourcetype = my_source_type SSN
I'm still getting
SsN_ENA
Call_SSN
BLA_sSN
in the search results
In the system/local/props.conf
[my_source_type]
SEDCMD-ssncall = s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx\1/g
take this run everywhere search which works:
| gentimes start=-1 | eval foo="'Call_SSN' '123456789'
'Ssn_bla' '987654321'
'bla_SSN' '123456789'" | rex mode=sed max_match=0 field=foo "s/[SsNn_]+.+?['\s]+\d+'/*SSN xxxxx/g"
my provided SEDCMD will only replace the values NOT the fields.
Hello MuS
unfortunately that didn't work
Can you tell what you did?