Hi All
I have followed the regular expression method to anonymize data during indexing as mentioned in the below Splunk documentation.
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Anonymizedata
Path : {Splunk_home}/etc/system/local
props.conf entry:
[access_log]
TRANSFORMS-anonymize = cardType1-anonymizer, cardType2-anonymizer
transforms.conf entry:
[cardType1-anonymizer]
REGEX = (.*?)(37)\d{2}(-|%20)\d{6}(-|%20)\d{1}(.*)(37)\d{2}(-|%20)\d{6}(-|%20)\d{1}(.*?)$
FORMAT = $1$2##$3######$4#$5$6##$7######$8#$9
DEST_KEY = _raw
[cardType2-anonymizer]
REGEX = (.*?)(37)\d{2}(-|%20)\d{6}(-|%20)\d{1}(.*?)$
FORMAT = $1$2##$3######$4#$5
DEST_KEY = _raw
When I am loading data from Search Head UI using Settings > Add Data > Upload from My Computer the masking is working and card numbers are getting masked properly.
However when the same data is coming from universal forwarders installed on application servers the masking is not working.
In both cases I have the same sourcetype.
I am not able to understand what is it that I am missing.
Can anyone help me to resolve this.
Thanks
Nirmalya
↧