- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Mask a particular field in csv data at Index time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mask a particular field in csv data at Index time
I have a csv data that contains some sensitive information like client ip. Here is how one of the rows of the data looks:
David, London,...several more columns...,192.168.0.1
What I want is to mask the IP replacing it with the string "XXXXXXX" so that it produces, for the above row:
David, London, ...several more columns..., XXXXXXX
Also, this operation needs to be performed at index-time.
I have tried setting up transforms in prop.conf and transform.conf:
[source::data.csv]
TRANSFORMS-masking = pii-mask
[pii-mask]
REGEX = .*
FORMAT = ClientIP::XXXXXX
SOURCE_KEY = ClientIP
DEST_KEY = ClientIP
However, even after doing this, the IP still comes up. Can anybody tell me how to fix this issue?
It seems to me that the fields have not been extracted when the transforms are run. If this is the case, how should I get extraction done before transformation?
Edit:
One of the columns in the data is address. This field can contain arbitrary number of commas, for example: "#221, Baker Street, London, England". So, I can't use a simple regular expression in sed. Instead, what I want to know is how to do transforms on extracted field rather than on the _raw field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey,
if you want to do masking on extracted field while displaying then you can use below spl query:
<base search>| replace * WITH XXXXXX IN ClientIP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to do masking at index time, not search time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (need the serial no at which the field appears on CSV, I'm assuming 15, adjust accordingly)
[source::data.csv]
SEDCMD-masking = s/^(([^\,]+,){14})(\d+\.\d+\.\d+\.\d+)/\1XX.XX.XX.XX/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ya, this will work. But, I want to operate on the extracted field rather than on the _raw key. Is there any way I can use an extracted field in my SOURCE_KEY attribute?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try following simple SED example here: https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_...
transforms.conf -
[ClientIP-anonymizer]
REGEX = (?m)^(.*)ClientIP=\d+\.\d+\.\d+\.\d+(.*)$
FORMAT = $1ClientIP=########$2
DEST_KEY = _raw
props.conf -
[source::data.csv]
TRANSFORMS-anonymize = ClientIP-anonymizer
Hope this helps!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
