Scenario Mask Sensitive Information:

Sample Log

192.168.1.1 - user1 [09/Jan/2025:19:06:07 -0800] "GET /user/info?ssn=123-45-6789 HTTP/1.1" 200 1500

Objective

• Mask the SSN values to show only the last 4 digits (**-**-1234).

In Splunk (props.conf and transforms.conf)

1. props.conf

   Define the sourcetype and specify the transformation rule:

   [your_sourcetype]
   
   

2. transforms.conf

   • Mask Sensitive Data:

     Apply a regex to mask SSN values:

     [mask_ssn]
     REGEX = (\\d{3})-(\\d{2})-(\\d{4})
     FORMAT = ***-**
     
     

3. Steps to Implement:

   • Save the configurations in the appropriate props.conf and transforms.conf files under $SPLUNK_HOME/etc/system/local/

   • Restart Splunk for the changes to take effect. Validate the data hitting your index to ensure the transformations worked.

4. Result:

   The data is transformed as an indexed field extraction avoiding storing PII and staying compliant. This avoids the need to apply transformations repeatedly in SPL searches.

In Cribl Stream

1. Pipeline Configuration:

   

   
   

   • Mask Sensitive Data: Applying the mask function in a cribl stream pipeline along with an md5 hash allows us to keep the original value but store it in a compliant encypted hash.

     
     

2. Advantages of Cribl:

   • Real-time previews and testing of transformations.

   • Simplified workflow with a graphical user interface.

   • Changes applied at the pipeline level, avoiding the need for restarts.

Comparison of Splunk props/transforms vs. Cribl Stream

Conclusion

While Splunk’s props.conf and transforms.conf are powerful, they lack the flexibility and real-time feedback Cribl Stream provides. Cribl is easier to use and quicker for iterative testing and transformation, while Splunk requires a more rigid process that involves restarts and manual file management.

Andrew Hendrix
Professional Services Consultant
www.VisiCoreTech.com