The command basically anonymizes the search results without affecting the raw data .This helps us in changing the sensitive information such as password ,personal emails etc.
This can be also achieved during index time in the transforms.conf which masks the data permanently.But if the data is already ingested and we need to send the sensitive information to other vendors , the scrub command helps us to achieve it by anonyimizing the required data .
Note: Here the data is not getting masked in this feature but the information is changed
Let us get into the insights of how the command works
If we open the backend of the instance where splunk 9.0 is installed and get into the following location
cd /opt/splunk/etc/anonymizer
We would see the following files in the location
If you want to add the anonymizer folder onto your specific app, you can place the same into the following location
/opt/splunk/etc/apps/<app name>/anonymizer
Syntax
scrub [public-terms=<filename>] [private-terms=<filename>] [name-terms=<filename>] [dictionary=<filename>] [timeconfig=<filename>] [namespace=<string>]
Required Arguments: None
Optional Arguments: As discussed below
public-terms= <fielname>
The filename is the file specified in the anonymizer folder which includes public terms in our data that does not need to be anonymized
private-terms=<fielname>
File name is the file which we added in the anonymizer folder which include terms to be anonymized.
name-terms=<filename>
This includes names which are needed to be anonymized
dictionary=<filename>
This includes dictionary of the terms which are not requried to be anonymized unless those terms are kept in the private-terms file .
Namespace = <string>
Here we can use the application containing files which can be used for anonymizing instead of the built-in files from the folder
Let us learn about the some arguments with examples below
Here we have monitored a csv file which looks like as shown in the image below
The original data before applying the scrub command
Let us apply the scrub command without any arguments
The purpose of “scrub” is to anonymize the data .Here it has changed the raw data in to completely different data as shown in the image above
Now adding a field named “Avotrix” in the public-terms.txt file
The purpose of public-terms as discussed above is anonymizing all the data except the field if found in the public-terms.txt .Here lets anonymize all the data except the company name ie “Avotrix”. So adding “Avotrix” in the public-terms.txt file and using the scrub command as shown below
vi /opt/splunk/etc/annonymizer/public-terms.txt
Here since we have added Avotrix name into our public-terms.txt file ,all the field values have been anonymized except the field company_name which we specified to remain public
If you have other file in the anonymizer folder where you want to show the public value you can mentioned it in the public-terms arguments
Let us create a files of our own in the anonymizer directory for working out with private argument as well as public argument.The data looks as shown before applying the scrub command
Here we are anonymizing the data with our own files as mentioned in the anonymizer folder as shown below
We have created files name change.txt to be specified in the private-terms argument and public.txt to be specified in the public-terms argument
Using the scub command and providing the arguments the following changes are observed:
As specified in the change.txt , field name Mumbai and Navi Mumbai have been anonymized to new name whereas field name Delhi ,Pune and Avotrix remain public as mentioned in the public-terms argument
If you still have any doubt regarding applying scrub command in splunk query , Feel free to Ask your Doubts in the Comment Section below ,give your ratings and Don’t Forget to Follow us on 👍 Social Networks.| Happy Splunking 😉
