Getting Data In

Not able to mask the data..

vikcee
Path Finder

Hi,

For my learning purpose, I have installed splunk and configured universal forwarder. Now I want to Hide/mask some data. But not able to do, Below are the required details.
Please let me know anything else is needed.

Sample log
SERVICE NOTIFICATION: 9123456780;www.test.com;Kibana_Service_Check;CRITICAL;notify-service-by-email;connect to address xx.xx.xxx.xxx and port 5601: Connection refused

Sample Mobile Number(9123456780) need to masked

Filed details:

Contact_group=9123456780

props.conf

[nagios]
TRANSFORMS-anonymize = Contact_group-anonymizer

transforms.conf

[Contact_group-anonymizer]
REGEX = (?m)^(.*)Contact_group=^[\[\]\d\s\w]+.\s(?<Contact_group>[a-z]+).
FORMAT = $1Contact_group=###########$2
DEST_KEY = _raw
Tags (1)
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi
you have to modify
props.conf

[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer

transforms.conf

 [session-anonymizer]
 REGEX = ^SERVICE NOTIFICATION:\s[^;]*(.*)
 FORMAT = ^SERVICE NOTIFICATION:\s########,$1
 DEST_KEY = _raw

you can test regex at https://regex101.com/r/WNni5C/1 .

For more info, see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Anonymizedata

Ciao.
Giuseppe

View solution in original post

woodcock
Esteemed Legend

Try this on your indexers:

props.conf

[nagios]
SEDCMD-anonymize_Contact_group = s/SERVICE NOTIFICATION:\s+\d+/SERVICE NOTIFICATION: Contact_group=###########/
0 Karma

kartm2020
Communicator

Hi Vikcee,
Please modify as like below
props.conf

[your_sourcetype]
TRANSFORMS = session-anonymizer
transforms.conf

[session-anonymizer]
DEST_KEY = _raw
REGEX = ^SERVICE NOTIFICATION:\s\d+
FORMAT = $1xxxxxxxxxx

To answer your question.
By default splunk will extract the field. Sometimes splunk would n't able to extract the field. So we need to write a regex to extract the field whichever we want. In this scenario, we must need to write to regex to tell splunk which wants to be masked.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
you have to modify
props.conf

[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer

transforms.conf

 [session-anonymizer]
 REGEX = ^SERVICE NOTIFICATION:\s[^;]*(.*)
 FORMAT = ^SERVICE NOTIFICATION:\s########,$1
 DEST_KEY = _raw

you can test regex at https://regex101.com/r/WNni5C/1 .

For more info, see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Anonymizedata

Ciao.
Giuseppe

vikcee
Path Finder

Hello Sir,

Thanks for the quick response.

I have added your comment as it is in props.conf and transform.conf,but its not working.

below is the log file.

[1571992954] SERVICE NOTIFICATION: nagiosadmin;www.test.com;Elastic_Service_Check;CRITICAL;notify-service-by-email;connect to address xx.xx.xxx.xxx and port 9200: Connection refused

for my case nagiosadmin or 9123456780 are the filed with filed name "Contact_group". does this has anything to do.

And I have one more question: In regex section what exactly is needed?

thanks
Vikash

gcusello
SplunkTrust
SplunkTrust

HI vikcee,
section is a part of the source that must remain as original, in you sample: the first part must remain as original, the central part must bu masked, the second section must remain as original.

The sample now is different, use this regex in transforms.conf:

REGEX = ^(.*)SERVICE NOTIFICATION:\s[^;]*;(.*)
FORMAT = ^$1SERVICE NOTIFICATION:\s########;$2

You can test regex at https://regex101.com/r/WNni5C/2

Ciao.
Giuseppe

vikcee
Path Finder

Hello sir,

Thanks a lot. Its working as expected. But again one more question. If I have to mast partially. Such as last 5 characters or 5 characters from start.

gcusello
SplunkTrust
SplunkTrust

You're welcome!
Anyway, the approach is the same, you have only to change the regex:

REGEX = ^(.*)SERVICE NOTIFICATION:\s[^;]{5}(.*)
FORMAT = ^$1SERVICE NOTIFICATION:\s#####;$2

In this way only the first 5 chars of the number or of the user are masked and the other are showed.
You can test it at https://regex101.com/r/WNni5C/3 .

Ciao and Next time!
Giuseppe

0 Karma

vikcee
Path Finder

Hello Sir,

Got the point..Thanks A lot.

For my practice I have masked all the field one by one 😛

Thanks
Vikash

gcusello
SplunkTrust
SplunkTrust

Happy to helped you!
Ciao and Next Time!
Giuseppe

0 Karma

FrankVl
Ultra Champion

Where did you deploy this masking config? This should be on a full Splunk Enterprise instance, not on the UF.

Also: your regex looks for 'Contact_group=', while that string does not exist in your raw event. Also not sure what that ^ is doing there, behind the 'Contact_group='.

So I think your regex needs some work. Try tools like regex101.com to test your regex and see if it captures what you need.

Also: this may be done much simpler and much more efficiently by using a SEDCMD in props.conf.

0 Karma

vikcee
Path Finder

Hello Sir,

I am very new to Splunk. I have deployed the above conf in props.config and transform.conf. I am not sure about the Regex section what exactly need to be done. Do we need to write regex to fetch the filed that we are planning to mask or something else.

https://regex101.com/r/7roqEj/1 

And thanks for the suggestion about SEDCMD, I will check the document, How can I do this.

Thanks
Vikash

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...