🚚 Transformations Splunk V Cribl- Mask PII - Technical Use Case

🚚 Transformations Splunk V Cribl- Mask PII - Technical Use Case

Every day, organizations risk compliance violations if they fail to properly secure and mask personal data. While both Splunk and Cribl Stream address this challenge, Cribl Stream offers a key advantage: you can move rapidly by capturing real sample data off the wire, ensuring transformations work correctly from the start. Its real-time preview also minimizes configuration errors, slashes deployment cycles, and enables teams to adapt instantly to new compliance demands—saving time, money, and potential fines.

Scenario Mask Sensitive Information:

Sample Log

192.168.1.1 - user1 [09/Jan/2025:19:06:07 -0800] "GET /user/info?ssn=123-45-6789 HTTP/1.1" 200 1500

Objective

  • Mask the SSN values to show only the last 4 digits (**-**-1234).

In Splunk (props.conf and transforms.conf)

  1. props.conf

    Define the sourcetype and specify the transformation rule:

    [your_sourcetype]
    
    
  2. transforms.conf

    • Mask Sensitive Data:

      Apply a regex to mask SSN values:

      [mask_ssn]
      REGEX = (\\d{3})-(\\d{2})-(\\d{4})
      FORMAT = ***-**
      
      
  3. Steps to Implement:

    • Save the configurations in the appropriate props.conf and transforms.conf files under $SPLUNK_HOME/etc/system/local/

    • Restart Splunk for the changes to take effect. Validate the data hitting your index to ensure the transformations worked.

  4. Result:

    The data is transformed as an indexed field extraction avoiding storing PII and staying compliant. This avoids the need to apply transformations repeatedly in SPL searches.

In Cribl Stream

  1. Pipeline Configuration:


    • Mask Sensitive Data: Applying the mask function in a cribl stream pipeline along with an md5 hash allows us to keep the original value but store it in a compliant encypted hash.


  2. Advantages of Cribl:

    • Real-time previews and testing of transformations.

    • Simplified workflow with a graphical user interface.

    • Changes applied at the pipeline level, avoiding the need for restarts.

Comparison of Splunk props/transforms vs. Cribl Stream

Feature

Splunk (props/transforms)

Cribl Stream

Configuration

Manual edits in config files

Drag-and-drop or scripted in GUI

Preview of Changes

Not available

Real-time previews in the UI

Flexibility

Static regex-based rules

Dynamic scripting and regex support

Ease of Use

Requires expertise with conf files

Intuitive and beginner-friendly

Application Scope

Index-time or search-time

Real-time, pre-ingestion

Impact of Changes

Requires restart for updates

Instant application, no restart

Conclusion

While Splunk’s props.conf and transforms.conf are powerful, they lack the flexibility and real-time feedback Cribl Stream provides. Cribl is easier to use and quicker for iterative testing and transformation, while Splunk requires a more rigid process that involves restarts and manual file management.

Andrew Hendrix
Professional Services Consultant
www.VisiCoreTech.com

Cribl Data Maturity Journey: Unlocking the Full Potential of Your Data| Read now

© Visicor. 2025

Privacy Policy

Terms of Use

© Visicor. 2025

Privacy Policy

Terms of Use

© Visicor. 2025

Privacy Policy

Terms of Use