I am using HTTP Event Collector & Splunk logging for java (logback). The events contain a username (e-mail address) which needs to be obfuscated. I'm looking for suggestions on how to best do this while still allowing me to do stats by username. For example, replace username with some sort of id? My gut tells me the best way would be to ask the app team handle this before logs are generated.
Thank you.
Hello,
This is a large topic with a variety of ways to implement it. There was a .conf presentation detailing a few different ways and to do this. You seem to be looking for psuedononymous obfuscation so look out for those options in the slides: https://conf.splunk.com/files/2017/slides/data-obfuscation-and-field-protection-in-splunk.pdf
edit: Here is the above video for better context:
https://conf.splunk.com/files/2017/recordings/data-obfuscation-and-field-protection-in-splunk.mp4
Splunk provides their own documentation at: https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/Anonymizedata
There, they detail one of the easiest ways using a props and transforms regex :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Scrub