Masking sensitive data
You might want to mask sensitive personal data before indexing your events. You can mask personal data using the replace scalar function with eval.
Masking sensitive data with replace
You can use the replace scalar function to mask sensitive data using regular expressions.
This example masks personal phone number information in an event.
If your data looks like:
18C4DF96F5A69E35952134948DB94424,98B4686144A13EE8378510888F22D782,Game Card,12.5,2018-01-13 09:15:00,2018-01-13 09:29:00,-73.986061,40.727932, 800-111-1111 C45D2BBAD3A25089871DA5F370B08644,BEAC3A468B86B6C0A0BC0C4944238808,Game Card,33.3,2018-01-13 09:16:00,2018-01-13 09:33:00,-73.98439,40.765469, 800-800-8000 3CACE6A20EB462544D4F0F3DA1303EDC,D9D06E5E87D7BF8D0CC768BDECE121BD,Game Card,8.5,2018-01-13 09:22:00,2018-01-13 09:30:00,-73.98584,40.731003, 123-123-1234
Use the Eval and Replace function to mask sensitive data.
- From the Data Pipelines Canvas view, click on the + icon and add the Eval function to your pipeline.
- In the Eval function, enter the following:
body=replace(cast(body, "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>")
.
This replaces the phone number in thebody
field with <redacted>. We also need to cast body to string, because replace takes a string as input. - Click Start Preview and the Eval function to verify that your data is being masked.
Filtering data | Sending data from DSP to the Splunk platform |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Feedback submitted, thanks!