Community:AnonymizingDataExample

From Splunk Wiki

Jump to: navigation, search

In this example, any file under a "secure" directory will have its email and password values replaced with dummy values.

Step 1) In props.conf tell Splunk that any files in under a "secure" directory should run our two transformation rules over the data. 

[source::.../secure/...]
TRANSFORMS = anonymize-email,anonymize-password

Step 2) in transforms.conf, specify two transformations, via regular expressions, for email addresses and passwords and what they should be replaced with. 

# anonymizes email address as user@domain.com
[anonymize-email]
REGEX         = ^(.*)(?:(?<!\w)(\w[\w\-\.]+@\w[\w\-\.]+\.[a-z]{1,4}))(.*)$
FORMAT        = $1 user@domain.com $3
DEST_KEY      = _raw

# anonymizes password/passwd looking values as 'password'
# examples:
#    passwd=none
#    LogOdbcPassword: sqllog
#    file needs this password: `xxj31ZMTZzkVA'.
#     user_password =  '52616e646f6d49567868784027dafce21cd9c6689fc5554c'
[anonymize-password]
REGEX         = (?i)^(.*passw(?:or)?d\s*[=:]\s*?)([^, \t]+)(\s*.*)$
FORMAT        = $1 password $3
DEST_KEY      = _raw

That's it. Any files in under a "secure" directory should have their emails addresses replaced with "user@domain.com" and their passwords replaced with "password".

Retrieved from "http://wiki.splunk.com/Community:AnonymizingDataExample"
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk