Solved: SEDCMD to anonymize CC data isnt working - Splunk Community

Getting Data In

Hi,

Ive been playing with the SEDCMD in my props.conf to anonymize CC data in a log.

Originally I tried this:

[host::nas.x.com]
SEDCMD-cc_anon = s/strRtCardNum:\s+\d{16}/strRtCardNum: ################/g

I changed that based on the splunk example given:

SEDCMD-accounts = s/ssn=\d{5}(\d{4})/ssn=xxxxx\1/g s/cc=(\d{4}-){3}(\d{4})/cc=xxxx-xxxx-xxxx-\2/

So now its this:

[host::nas.x.com]
SEDCMD-cc_anon = s/strRtCardNum=\s+\d{16}/strRtCardNum= ################/g

And its still not working. This is getting frustrating. Has anyone gotten this to work right? What am I doing wrong?

1 Solution

Solution

[host::nas.x.com]
SEDCMD-cc_anon = s/ccNum:\s+\d{16}/ccNum: ################/ s/Shopper:\s+\d+/Shopper: #####/

providing the data comes from host called nas.x.com

View solution in original post

yeah, something like
s/\d{15,16}/xxxx/g
should work to replace all instances of 15 or 16 consecutive numbers
The "ccNum" string before hand is just to ensure the digits being matched are always after the string ccNum

ok, so can i take the string out altogether and simply match all 16 digit numbers in this log?

I've found using perl on the command line is the easiest way to troubleshoot SEDCMD
i.e.
perl -pe 's/ccNum:\s([0-9]{16})/ccNum: xxxx/g'

It's a quick way to see if the SEDCMD works at all, and if the output is in the format you're trying to get

Solution

[host::nas.x.com]
SEDCMD-cc_anon = s/ccNum:\s+\d{16}/ccNum: ################/ s/Shopper:\s+\d+/Shopper: #####/

providing the data comes from host called nas.x.com

try modifying \d{16} to \d{15,16}

Awesome, that worked! Only problem is now I found some 15 digit american express cards that also need to be blocked out but I think I can figure that out. Thank you gentlemen very much!

Thank you sir. Im trying this now and will let you know what happens.

Well if the string "strRTCardNum" isn't in your event, then a regex looking for that string will obviously not match.

Its in a props.conf that is being sent to all indexers with the deployment server.

Heres some sample data.

CheckoutServices.finishPaymentStartOrderReview: inside is mode check Shopper: 5555555
CheckoutServices.finishPaymentStartOrderReview: ccNum: 9999999999999999 Shopper: 5555555

strRTCardNum was something the splunk consultant put in before he left, though im not sure where he got it. Its never worked right.

Thanks guys!

Is this done on a Universal Forwarder or an indexer?

Can you provide a sample of the an original event ? (just set the cc number to 99999999999999 or something.

whats after the string strRtCardNum is it a : or a = ?
Is there really a space before the card number ?

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...