Introduction

In this blog we'd like to discuss masking or obscuring data in Splunk.  We’ve had customers in the past ask us how to mask data at both search and index-time.  Usually this is to hide personally identifiable information either for security, compliance or both.  In this post we’ll cover several different approaches for doing this in Splunk and discuss some pros and cons.

For each of the approaches we will use the following sample data from a fictitious HR application:

sourcetype = hr_app
sample event = “This is an event with a sensitive number in it...