Skip to content

Splunk app providing a custom search command for redaction of JSON documents

Notifications You must be signed in to change notification settings

back2root/TA-json_redact

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

JSON redact (TA-json_redact)

This App for Splunk> Enterprise provides a custom search command for search time redaction of JSON documents.
This may be useful for anonymizing events before summary indexing for long time retention.

All field values matched by one of the JSONpath expressions, are replaced through value.
The JSON document that should be redacted has to be stored in the field infield.
The redacted version is stored in outfield. The fields content is replaced by the specified value.

JSONpath expressions can be tested using e.g.: JSONPath Online Evaluator.

Usage

sourcetype=json | jsonredact infield="_raw" outfield="out" value="-redacted-" "$.firstName" "$.lastName" "$.phoneNumbers[:].number"

Redacts the fields firstName, lastName and phoneNumbers within the JSON document document within _raw and stores the redected version in out.

License

Licensed under the Apache License, Version 2.0 (the "License"): you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

Splunk app providing a custom search command for redaction of JSON documents

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages