Spread our blog

Implement Masking Using transforms.conf

Hi, I hope everyone is really doing well. Today we are back with a topic of Splunk administration which is How can we implement masking using transforms.conf. As we all know basically we do masking through props.conf using SEDCMD attribute. But today we will try to do the same through transforms.conf. So let’s start Take an example then.

Suppose we have a sample data like this.

Account number of sarada is 1234567
Account number of salim is 0987654
Account number of nibedan is 2345123
Account number of abhay is 3425167

And we want to see it like this

Account number of sarada is XXXX567
Account number of salim is XXXX654
Account number of nibedan is XXXX123
Account number of abhay is XXXX167

Here we will try to mask the first four digits of the account number with XXXX and the last three digits will be visible.

Step 1:

Go to the Universal forwarder and create inputs.conf to forward the data.

In our case the above data is located under /tmp directory.

So go to $SPLUNK_HOME/etc/system/local and create inputs.conf

# cd /opt/splunkforwarder/etc/system/local 
# vi inputs.conf 

And within that write the following

[monitor:///tmp/abcd.txt]
index = emp_acc
sourcetype = maskingnew

Step 2:

No go to your Heavy forwarder and create props.conf for to create transforms name.

# cd /opt/splunk/etc/system/local 
#vi props.conf

And within the props.conf write the following lines.

[maskingnew] 
SHOULD_LINEMERGE = false 
TRANSFORMS-mask = one

Now type

# vi transforms.conf 

Within the transforms.conf write the following

[one] 
REGEX = (Account\s+number\s+of\s+\w+\s+is\s+)(\d\d\d\d)(\d\d\d) 
FORMAT = $1xxxx$3 
DEST_KEY = _raw  

Explanation:
[one] – Stanza name/ transformation name , which we have mentioned in the props.conf
REGEX – Within the transforms.conf at first using REGEX we defined whole data through regular expression. Then according to our requirement we captured the whole expression in three parts by using parenthesis “()”.
FORMAT –  We mentioned all brackets by $1,$2,$3 etc like this and the portion you want to mask doesn’t need to be defined like that, for that you can use hard coded characters (XXXX) as we did.
DEST_KEY – _raw. That means it will be reflected in the raw data.

You can also know about :  HEC (Http Event Collector) with Syslog-NG :  Aggregated  and Scalable Data Collection Method in Splunk

Result:
After this restart Heavy forwarder and universal forwarder respectively and go to the search head and search the data.

As one can see that we got our data as expected.

I Hope you all understood how to Implement Masking Using transforms.conf

Happy Splunking!!

What’s your Reaction?
+1
+1
2
+1
4
+1
+1
8
+1
1
+1

Spread our blog

LEAVE A REPLY

Please enter your comment!
Please enter your name here