Splunk® Data Stream Processor

Use the Data Stream Processor

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Masking sensitive data

You might want to mask sensitive personal data before indexing your events. You can mask personal data using the replace scalar function with eval.

Masking sensitive data with replace

You can use the replace scalar function to mask sensitive data using regular expressions.

This example masks personal phone number information in an event.

If your data looks like:

18C4DF96F5A69E35952134948DB94424,98B4686144A13EE8378510888F22D782,Game Card,12.5,2018-01-13 09:15:00,2018-01-13 09:29:00,-73.986061,40.727932, 800-111-1111
C45D2BBAD3A25089871DA5F370B08644,BEAC3A468B86B6C0A0BC0C4944238808,Game Card,33.3,2018-01-13 09:16:00,2018-01-13 09:33:00,-73.98439,40.765469, 800-800-8000
3CACE6A20EB462544D4F0F3DA1303EDC,D9D06E5E87D7BF8D0CC768BDECE121BD,Game Card,8.5,2018-01-13 09:22:00,2018-01-13 09:30:00,-73.98584,40.731003, 123-123-1234

Use the Eval and Replace function to mask sensitive data.

  1. From the Data Pipelines Canvas view, click on the + icon and add the Eval function to your pipeline.
  2. In the Eval function, enter the following: body=replace(cast(body, "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>").
    This replaces the phone number in the body field with <redacted>. We also need to cast body to string, because replace takes a string as input.
  3. Click Start Preview and the Eval function to verify that your data is being masked.
Last modified on 28 September, 2020
Filtering data   Sending data from DSP to the Splunk platform

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters