On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
Masking sensitive data
You might want to mask sensitive personal data before indexing your events. You can mask personal data using the replace scalar function with eval.
Masking sensitive data with replace
You can use the replace scalar function to mask sensitive data using regular expressions.
This example masks personal phone number information in an event.
If your data looks like:
18C4DF96F5A69E35952134948DB94424,98B4686144A13EE8378510888F22D782,Game Card,12.5,2018-01-13 09:15:00,2018-01-13 09:29:00,-73.986061,40.727932, 800-111-1111 C45D2BBAD3A25089871DA5F370B08644,BEAC3A468B86B6C0A0BC0C4944238808,Game Card,33.3,2018-01-13 09:16:00,2018-01-13 09:33:00,-73.98439,40.765469, 800-800-8000 3CACE6A20EB462544D4F0F3DA1303EDC,D9D06E5E87D7BF8D0CC768BDECE121BD,Game Card,8.5,2018-01-13 09:22:00,2018-01-13 09:30:00,-73.98584,40.731003, 123-123-1234
Use the Eval and Replace function to mask sensitive data.
- From the Data Pipelines Canvas view, click on the + icon and add the Eval function to your pipeline.
- In the Eval function, enter the following:
body=replace(cast(body, "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>").
This replaces the phone number in thebodyfield with <redacted>. We also need to cast body to string, because replace takes a string as input. - Click Start Preview and the Eval function to verify that your data is being masked.
Last modified on 28 September, 2020
| Filtering data | Sending data from DSP to the Splunk platform |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Download manual
Feedback submitted, thanks!