This App for Splunk> Enterprise provides a custom search command for search time redaction of JSON documents.
This may be useful for anonymizing events before summary indexing for long time retention.
All field values matched by one of the JSONpath expressions, are replaced through value.
The JSON document that should be redacted has to be stored in the field infield.
The redacted version is stored in outfield. The fields content is replaced by the specified value.
JSONpath expressions can be tested using e.g.: JSONPath Online Evaluator.
sourcetype=json | jsonredact infield="_raw" outfield="out" value="-redacted-" "$.firstName" "$.lastName" "$.phoneNumbers[:].number"
Redacts the fields firstName, lastName and phoneNumbers within the JSON document document within _raw and stores the
redected version in out.
Licensed under the Apache License, Version 2.0 (the "License"): you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.