Splunk® Data Stream Processor

Use the Data Stream Processor

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of DSP. Click here for the latest version.
Acrobat logo Download topic as PDF

Masking sensitive data

You might want to mask sensitive personal data before indexing your events. You can mask personal data using the replace scalar function with eval.

Masking sensitive data with replace

You can use the replace scalar function to mask sensitive data using regular expressions.

This example masks personal phone number information in an event.

If your data looks like:

18C4DF96F5A69E35952134948DB94424,98B4686144A13EE8378510888F22D782,Game Card,12.5,2018-01-13 09:15:00,2018-01-13 09:29:00,-73.986061,40.727932, 800-111-1111
C45D2BBAD3A25089871DA5F370B08644,BEAC3A468B86B6C0A0BC0C4944238808,Game Card,33.3,2018-01-13 09:16:00,2018-01-13 09:33:00,-73.98439,40.765469, 800-800-8000
3CACE6A20EB462544D4F0F3DA1303EDC,D9D06E5E87D7BF8D0CC768BDECE121BD,Game Card,8.5,2018-01-13 09:22:00,2018-01-13 09:30:00,-73.98584,40.731003, 123-123-1234

Use the Eval and Replace function to mask sensitive data.

  1. From the Data Pipelines Canvas view, click on the + icon and add the Eval function to your pipeline.
  2. In the Eval function, enter the following: body=replace(cast(body, "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>").
    This replaces the phone number in the body field with <redacted>. We also need to cast body to string, because replace takes a string as input.
  3. Click Start Preview and the Eval function to verify that your data is being masked.
Last modified on 28 September, 2020
PREVIOUS
Filtering data
  NEXT
Sending data from DSP to the Splunk platform

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters