I am trying to mask PII data at index time. Here is an example of PII data I am trying to mask:
RecipientSSNxxx-xx-4321RecipientSSN
I am able to mask it at search time using this
source= mysource
| rex "(?RecipientSSN\d{3}\-\d{2}\-\d{4})"
| rex field=RecipientSSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"
However, I need it to masked at index time. I have tried the following in props.conf and transforms.conf (system\local for both):
props.conf
[nsb_message]
TRANSFORMS-anonymize = ssn-anonymizer
transforms.conf
[ssn-anonymizer]
regex = (\d{3}\-\d{2}\-)(\d{4})
FORMAT= $1XXX-XX-$2
DEST_KEY = _raw
I have restarted Splunk, input new test files via index file monitors one-time, and the SSN is still not masked. Any help would be appreciated. I verified that the sourcetype does exist in the inputs.conf (system\local) as well.
Any help or pointers would be greatly appreciated!
... View more