product
- Why choose Splunk
- Installation record
- price
- Splunk Enterprise Security
- Splunk Phantom (SOAR)
- Splunk ITSI (Next Generation IT Operations)
- Splunk Observability Cloud
- Splunk UBA
- Macnica CSIRT App Basic
- App for Splunk for Financial Institutions
- Splunk Analytics for Hadoop
- About Apps
- Splunk Edge Hub
- What is Splunk
service
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to mask when importing logs
- release date
- 2016-10-11
- last updated
- 2023-09-13
- version
- Splunk Enterprise 9.1.0
- Overview
- How to mask when importing logs
- Reference information
- content
-
When importing log data, you can mask it using transforms.conf to anonymize personal information.
To mask a specific string, specify a regular expression before and after the target to be masked in REGEX*1, and specify the output format for masking in FORMAT*2. Then, specify _raw in DEST_KEY to overwrite the data.
*1.REGEX specifies the regular expression to be applied to the log data.
*2.FORMAT specifies the output format of the event that contains the optional field name or value you want to add.
*3.DEST_KEY specifies the destination to which the results of FORMAT will be reflected.
< Example data >
"2006-09-21, 02:57:11.58", 122, 11, "Path=/LoginUser Query=CrmId=ClientABC&ContentItemId=TotalAccess&SessionId=3A1785URH117BEA&Ticket=646A1DA4STF896EE&SessionTime=25368&ReturnUrl=http://www.clientabc.com, Method=GET,IP=209.51.249.195,Content=", ""<Setting example>
--------------------
props.conf
--------------------
[対象ソースタイプ名]
TRANSFORMS-anonymize = anonymizer
--------------------
transforms.conf
--------------------
[anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=##$2
DEST_KEY = _raw<Mask results>
...SessionId=3A1785URH117BEA...
↓
...SessionId=##7BEA...Splunk's regular expressions use Perl regular expressions.
For information about regular expressions that can be used in Splunk, please refer to the following document.
*(?m) executes the regular expression in multi-line mode.
*(.*) matches any repetition of characters.
*The regular expression in the setting example matches from the beginning of the line of log data to "SessionId=" and from the 4 characters before the & after "SessionId=".
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Weekdays: 9:00-17:00
