https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324067#M60324 <P>I tried the above transform and props config and it is modifying the whole event and just showing </P> <P>userPassword: ################################################</P> Wed, 28 Feb 2018 18:40:10 GMT ssyed2009 2018-02-28T18:40:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324063#M60320 <PRE><CODE>time: 20180227120538 ... 1 line omitted ... changetype: modify replace: userPassword userPassword: {1234} </CODE></PRE> <P>Currently, I am trying under props.conf but it doesn't seem to work.</P> <PRE><CODE>SEDCMD-masking = s/\suserPassword:\s\S+/\suserPassword:\s/################################################/ </CODE></PRE> Tue, 27 Feb 2018 18:15:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324063#M60320 ssyed2009 2018-02-27T18:15:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324064#M60321 <P>You can try a combination of props.conf and transforms.conf: <A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Anonymizedata">https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Anonymizedata</A></P> <P>props.conf</P> <PRE><CODE>[&lt;spec&gt;] TRANSFORMS-mask = password-masker </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[password-masker] REGEX = (?m)^(.*)userPassword:\s(\S+)(.*)$ FORMAT = $1userPassword: ################################################$3 DEST_KEY = _raw </CODE></PRE> Tue, 27 Feb 2018 19:43:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324064#M60321 mdsnmss 2018-02-27T19:43:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324065#M60322 <P>The SEDCMD is also an option which is what you are attempting. It looks like your regex may be missing for "/g" flag for replacing matches.</P> Tue, 27 Feb 2018 19:47:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324065#M60322 mdsnmss 2018-02-27T19:47:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324066#M60323 <P><CODE>SEDCMD-masking = s/suserPassword:\s\S+/suserPassword:\s/################################################\1/g</CODE></P> <P>You may also want to reduce the number of "#" if that isn't of importance. You don't want to necessarily make your data size larger.</P> Tue, 27 Feb 2018 19:51:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324066#M60323 mdsnmss 2018-02-27T19:51:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324067#M60324 <P>I tried the above transform and props config and it is modifying the whole event and just showing </P> <P>userPassword: ################################################</P> Wed, 28 Feb 2018 18:40:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324067#M60324 ssyed2009 2018-02-28T18:40:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324068#M60325 <P>Is this your full event you are trying to modify? </P> <P>time: 20180227120538<BR /> ... 1 line omitted ...<BR /> changetype: modify<BR /> replace: userPassword<BR /> userPassword: {1234}</P> <P>It's likely having issues with the multiline format. Try the regex <CODE>(?s)(.*)userPassword:\s(\S+)(.*)$</CODE></P> Wed, 28 Feb 2018 18:51:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-mask-passwords-from-splunk-logs/m-p/324068#M60325 mdsnmss 2018-02-28T18:51:30Z