Implement Masking Using transforms.conf
Hi, I hope everyone is really doing well. Today we are back with a topic of Splunk administration which is How can we implement masking using transforms.conf. As we all know basically we do masking through props.conf using SEDCMD attribute. But today we will try to do the same through transforms.conf. So let’s start Take an example then.
Suppose we have a sample data like this.
Account number of sarada is 1234567
Account number of salim is 0987654
Account number of nibedan is 2345123
Account number of abhay is 3425167
And we want to see it like this
Account number of sarada is XXXX567
Account number of salim is XXXX654
Account number of nibedan is XXXX123
Account number of abhay is XXXX167
Here we will try to mask the first four digits of the account number with XXXX and the last three digits will be visible.
Step 1:
Go to the Universal forwarder and create inputs.conf to forward the data.
In our case the above data is located under /tmp directory.
So go to $SPLUNK_HOME/etc/system/local and create inputs.conf
# cd /opt/splunkforwarder/etc/system/local # vi inputs.conf
And within that write the following
[monitor:///tmp/abcd.txt] index = emp_acc sourcetype = maskingnew
Step 2:
No go to your Heavy forwarder and create props.conf for to create transforms name.
# cd /opt/splunk/etc/system/local #vi props.conf
And within the props.conf write the following lines.
[maskingnew] SHOULD_LINEMERGE = false TRANSFORMS-mask = one
Now type
# vi transforms.conf
Within the transforms.conf write the following
[one] REGEX = (Account\s+number\s+of\s+\w+\s+is\s+)(\d\d\d\d)(\d\d\d) FORMAT = $1xxxx$3 DEST_KEY = _raw
Explanation:
[one] – Stanza name/ transformation name , which we have mentioned in the props.conf
REGEX – Within the transforms.conf at first using REGEX we defined whole data through regular expression. Then according to our requirement we captured the whole expression in three parts by using parenthesis “()”.
FORMAT – We mentioned all brackets by $1,$2,$3 etc like this and the portion you want to mask doesn’t need to be defined like that, for that you can use hard coded characters (XXXX) as we did.
DEST_KEY – _raw. That means it will be reflected in the raw data.
Result:
After this restart Heavy forwarder and universal forwarder respectively and go to the search head and search the data.
As one can see that we got our data as expected.
I Hope you all understood how to Implement Masking Using transforms.conf
Happy Splunking!!