When importing log data, you can mask it using transforms.conf to anonymize personal information.

To mask a specific string, specify a regular expression before and after the target to be masked in REGEX*1, and specify the output format for masking in FORMAT*2. Then, specify _raw in DEST_KEY to overwrite the data.

*1.REGEX specifies the regular expression to be applied to the log data.

*2.FORMAT specifies the output format of the event that contains the optional field name or value you want to add.

*3.DEST_KEY specifies the destination to which the results of FORMAT will be reflected.

< Example data >

"2006-09-21, 02:57:11.58", 122, 11, "Path=/LoginUser Query=CrmId=ClientABC&ContentItemId=TotalAccess&SessionId=3A1785URH117BEA&Ticket=646A1DA4STF896EE&SessionTime=25368&ReturnUrl=http://www.clientabc.com, Method=GET,IP=209.51.249.195,Content=", ""

<Setting example>

--------------------
props.conf
--------------------
[対象ソースタイプ名]
TRANSFORMS-anonymize = anonymizer
--------------------
transforms.conf
--------------------
[anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=##$2
DEST_KEY = _raw

<Mask results>

...SessionId=3A1785URH117BEA...
↓
...SessionId=##7BEA...

Splunk's regular expressions use Perl regular expressions.

For information about regular expressions that can be used in Splunk, please refer to the following document.

https://docs.splunk.com/Documentation/Splunk/9.1.0/Knowledge/AboutSplunkregularexpressions#Character_types

*(?m) executes the regular expression in multi-line mode.

*(.*) matches any repetition of characters.

*The regular expression in the setting example matches from the beginning of the line of log data to "SessionId=" and from the 4 characters before the & after "SessionId=".