The regular expression processor does not handle multiline events. DEST_KEY = _raw writes the value from FORMAT to the raw value in the log.The $2 variable represents the text of the event after the regular expression.The $1 variable represents the text of the event before the regular expression that represents the string in the event that you want to mask.The FORMAT setting specifies the masked values.The REGEX setting specifies the regular expression that points to the string in the event that you want to anonymize.Transforms have several settings and variables that let you specify what changes and where, but the following settings are the most important: Use a regular expression transform with nf to anonymize eventsĮach stanza in the nf configuration file defines a transform class that you can reference from the nf file for a given source type, source, or host. This substitutes each occurrence of the characters in string1 with the characters in string2. Refer to the following syntax for a sed character substitution: Substitute characters in events with a sed script flags can be either the letter g to replace all matches or a number to replace a specified match.replacement is the string you want to replace whatever the regular expression matches.regex is a regular expression written in the Perl programming language.The SEDCMD setting has the following components: Refer to the following syntax for a sed-style replacement: You can use a sed script and the SEDCMD method to replace strings or substitute characters. Replace strings in events with a sed script As a best practice, you must subsequently specify the source type in the nf file for this stanza type to work.The stanza matches events with the specified source type.The stanza matches events with the specified source.The stanza matches events that contain the specified host.Refer to the following stanza specifications: The stanza name that you specify in the nf file determines how the Splunk platform selects and processes events for anonymization. You must specify which method to select the data in the nf configuration file. You can anonymize event data based on whether the data comes from a specific source or host, or whether the data is tagged with a specific source type. Use the nf and nf configuration files to anonymize the events with a regular expression transform.Use the nf configuration file to anonymize the events with a sed script.First, you select the events to anonymize.For instructions on this method, see Anonymize data with a regular expression transform.īoth of these options are also available in Splunk Enterprise, where you can complete the configuration on either a heavy forwarder or an indexer.īefore you can anonymize data, you must select a set of events to anonymize. You can also assign this method to multiple data inputs more flexibly. This method takes longer to configure, but less complex to modify after the initial configuration. Use a regular expression (regex) transform.For instructions on this method, see Anonymize data with a sed script. But there are limits to how many times you can invoke the SEDCMD setting and what it can do. This method is more straightforward, takes less time to configure, and is slightly faster than a regular expression transform. It acts like a sed *nix script to do replacements and substitutions. This setting exists in the nf configuration file, which you configure on the heavy forwarder. There are two ways to anonymize data with a heavy forwarder: To anonymize data with Splunk Enterprise, you must configure a Splunk Enterprise instance as a heavy forwarder and anonymize the incoming data with that instance before sending it to Splunk Enterprise. You can anonymize parts of confidential fields in events to protect privacy while providing enough remaining data for use in event tracking. You might need to anonymize, or mask, sensitive personal information from the data that you index into the Splunk platform, such as credit card or Social Security numbers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |