Thanks for the link and its clarity.
Pseudonymisation in Splunk is not built-in, so one must rely on external programs to pseudonymise incoming raw data (one or several strings). I have found a Splunk app related to that issue: https://splunkbase.splunk.com/app/282/
I have also found a talk at the Splunk Conf 2017 clearly addressing the problem and the possible solutions :
link: http://conf.splunk.com/sessions/2017-sessions.html#search=obfuscation
pdf: https://conf.splunk.com/files/2017/slides/data-obfuscation-and-field-protection-in-splunk.pdf
Personally, I have the possibility to pseudonymize the input data before any Splunk indexation, so maybe I'll head that way for now.
... View more
The need here is to pseudonymize and not anonymise which is different. Therefore the need is to be able to trace someone uniquely regardless of who he is namely. Anonymisation will lose traceability between events by replacing valuable information with "just" XXXX characters.
Regards,
... View more
Hi there,
I face the same issue/requirement. A good use case is nowadays when we use Splunk on sensitive incoming data that needs pseudonymisation, in order to be compliant with the European General Data Protection Regulation (GDPR).
Regards,
... View more
I have had the issue. It works for me. Be very careful to make etime a number in the collections.conf
field.etime=number => CORRECT
field.etime=string => INCORRECT
Personally, I used the REST API to fill in the KV Store and my JSON for the etime field is:
{
...
"etime": 1531418188, ==> a number !!! "1531418188" would be KO, try it for yourself
...
}
Cheers,
Fab
... View more