Solved: Using SEDCMD in Splunk Cloud

catchaj88 · ‎12-19-2017

Task: Mask PII data at Index Time

Current Setup: Universal forwards to forward logs to Splunk

Based on documentation, SEDCMD seems to be the best option to mask PII data at index time. How can I configure SEDCMD in Splunk Cloud.

skoelpin · ‎12-19-2017

Your going to need backend access to apply SEDCMD.

Before doing this, why not just stream PII data to a new restricted index or even better, a restricted environment?

View solution in original post

skoelpin · ‎12-19-2017

Your going to need backend access to apply SEDCMD.

Before doing this, why not just stream PII data to a new restricted index or even better, a restricted environment?

catchaj88 · ‎12-19-2017

@skoelpin

Thanks for the suggestion. We will be definitely using restricted indices for handling PII data.

However, my objective is to not have any sensitive data available in splunk at all. Do you have any suggestion to achieve that?

skoelpin · ‎12-19-2017

Yes, if you want to take the added security then you should apply SEDCMD at index time. This will create a golden copy without the sensitive data.

This will require an indexer restart

Place this in your props.conf and restart splunkd. You will need to create a regular expression of your PII data and it will replace it with XXXXXXXXX. I you need help with the regex, you can post a sample (obviously not the real sample) and I can give you a hand.

[sourcetype]
 sedcmd-removePII=s/<REGEX OF PII DATA>/XXXXXXXX/g

I would recommend testing this at search time first to make sure your sedcmd command is working correctly.

... | rex mode=sed s/<REGEX OF PII DATA>/XXXXXXXX/g

catchaj88 · ‎12-19-2017

Thank you!

Using SEDCMD in Splunk Cloud

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!