https://community.splunk.com/t5/Getting-Data-In/Sanitize-Incoming-Data-remove-Passwords/m-p/191110#M38053 <P>Yes, that is what i was looking for, thank you very much.</P> Fri, 06 Jun 2014 16:49:23 GMT aattinello 2014-06-06T16:49:23Z https://community.splunk.com/t5/Getting-Data-In/Sanitize-Incoming-Data-remove-Passwords/m-p/191108#M38051 <P>Hello,<BR /> I am looking for a sanitize my incoming data. My customers sometimes pass GET parameters instead of POST parameters, which is normally fine. However in some cases they pass their password into our API as a GET parameter which then appears in plain text in my webserver log. When i send this data to Splunk I would like to match that password and replace with a string like FILTERED. The tool I am using to log this data has no way to scrub that data while preserving the other get parameters, so I was hoping Splunk was able to. </P> <P>So some of my sample lines looks like this<BR /> 10.213.172.3 [02/May/2014:16:31:07 -0400] 31249 "GET /endPoint/?action=login&amp;loginUsername=test&amp;loginOrganization=Test&amp;loginPassword=superTest HTTP/1.1" 200 570 4243 "Zend_Http_Client" "-" -</P> <P>10.213.172.3 [02/May/2014:16:31:16 -0400] 187498 "POST /endpoint/other/otherPage.html?loginUsername=test&amp;loginPassword=superTest&amp;loginOrganization=Test HTTP/1.1" 200 1573 708 "Zend_Http_Client" "en-US,en;q=0.8" 6E1182505E7B71DAA4340E831A53F440.node1</P> <P>I am looking to match this parameter (up until the first space or &amp;)<BR /> &amp;loginPassword=((.*&amp;)|(\S+))<BR /> And replace that with something like <BR /> &amp;loginPassword=FILTERED</P> <P>So those 2 examples would end up indexed as<BR /> 10.213.172.3 [02/May/2014:16:31:07 -0400] 31249 "GET /endPoint/?action=login&amp;loginUsername=test&amp;loginOrganization=Test&amp;loginPassword=FILTERED HTTP/1.1" 200 570 4243 "Zend_Http_Client" "-" -</P> <P>10.213.172.3 [02/May/2014:16:31:16 -0400] 187498 "POST /endpoint/other/otherPage.html?loginUsername=test&amp;loginPassword=FILTERED&amp;loginOrganization=Test HTTP/1.1" 200 1573 708 "Zend_Http_Client" "en-US,en;q=0.8" 6E1182505E7B71DAA4340E831A53F440.node1</P> Mon, 28 Sep 2020 16:48:38 GMT https://community.splunk.com/t5/Getting-Data-In/Sanitize-Incoming-Data-remove-Passwords/m-p/191108#M38051 aattinello 2020-09-28T16:48:38Z https://community.splunk.com/t5/Getting-Data-In/Sanitize-Incoming-Data-remove-Passwords/m-p/191109#M38052 <P>Hi aattinello,</P> <P>I know you can mask sensitive data using props.conf and transforms.conf.</P> <P>In props.conf:</P> <PRE><CODE>[source::\\yoursource.log] TRANSFORMS-password = password_mask </CODE></PRE> <P>And in transforms.conf:</P> <PRE><CODE>[password_mask] DEST_KEY = _raw REGEX = (.*loginPassword=)\d\s FORMAT = $FILTERED$ </CODE></PRE> <P>I don't understand a lot of regex, but maybe you can modify it using some online checker.</P> <P>Hope this helps!</P> Fri, 06 Jun 2014 14:23:11 GMT https://community.splunk.com/t5/Getting-Data-In/Sanitize-Incoming-Data-remove-Passwords/m-p/191109#M38052 gfreitas 2014-06-06T14:23:11Z https://community.splunk.com/t5/Getting-Data-In/Sanitize-Incoming-Data-remove-Passwords/m-p/191110#M38053 <P>Yes, that is what i was looking for, thank you very much.</P> Fri, 06 Jun 2014 16:49:23 GMT https://community.splunk.com/t5/Getting-Data-In/Sanitize-Incoming-Data-remove-Passwords/m-p/191110#M38053 aattinello 2014-06-06T16:49:23Z