Solved: Is it possible to "censor" (anonymize) strings in ...

mwilson · ‎11-17-2015

We have some logs that have some sensitive data that I would like to replace with ********. Is it possible to set up a regex to check a sourcetype/text match and do this?

I know it's possible to just drop the line, but I'm hoping to keep the rest of the line and just replace the "sensitive" data.

yannK · ‎11-17-2015

Look at the command "SEDCMD"in the props.conf, at index time.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Data/Anonymizedata

View solution in original post

renems · ‎11-17-2015

You probably want to use event based routing. Best thing you can do, is to set up a heavy/intermediate forwarder. This way you can set up a transforms that masks the data you like (based on regexes). You can read more about this here: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Configure_routing

You might also want to consider the following: How about not masking (=editing) the data, but instead move those specific lines to another index? You then grant access to that index only for those users that are accountable. That way you didn't edit the data, and restrict access to those who shouldn't be able to query it anyway. You find how in the same link (point 3 and 4).

yannK · ‎11-17-2015

Look at the command "SEDCMD"in the props.conf, at index time.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Data/Anonymizedata

mwilson · ‎11-17-2015

Thank you, my search foo not so good, kept searching for censor.

Will give it a go.

Is it possible to "censor" (anonymize) strings in a log?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!