https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456756#M78940 <P>To answer your questions:<BR /> 1. We have restarted after each change and waited for new data to come in<BR /> 2. It is a multiline event, we tested the command via CLI and that worked but it might not work in Splunk. <BR /> 3. We are running splunk 7.0.3 i though a eval only worked from 7.1 or 7.2 and up? But i like the idea so i will try to find a way to add something to see if the sourcetype is correct.</P> <P>Thank you for you comment!</P> Fri, 17 May 2019 05:15:24 GMT MattibergB 2019-05-17T05:15:24Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456754#M78938 <P>We are trying to mask some data from winhostmon using SEDCMD.</P> <P>The sample data sourcetype=WinHostMon source=process :</P> <PRE><CODE>Type=Process Name="wfcrun32.exe" ProcessId=1 CommandLine="C:\PROGRAM FILES (X86)\Test\test.EXE" /h0 "C:\Program Files (x86)\Test2\test2.test" /username:"Test" /domain:AD /password:"test" StartTime="20170516135737.278912+120" Host="test-test2-test3" Path="C:\PROGRAM FILES (X86)\Test\test.EXE" </CODE></PRE> <P>Props:</P> <PRE><CODE>[WinHostMon] SEDCMD-anonymize=s/\/password.*$/\/password:XXXXX/g </CODE></PRE> <P>The issue is that it is not masking the data, i have tried sourcetype,source and host on the indexer but still its not masking.<BR /> If i upload a test file with data using the add data option i am able to mask the data using the SEDCMD, same goes for a file with a static sourcetype.<BR /> My guess is that the source/sourcetype is not correct because of the way Splunk identifies the data at indexing/parsing.</P> <P>Does anyone have an idea how i can mask the data at indexing time?<BR /> The data is being send from a universal forwarder to our indexers so it is not passing through a heavy forwarder.</P> Thu, 16 May 2019 13:25:19 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456754#M78938 MattibergB 2019-05-16T13:25:19Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456755#M78939 <P>Your logic should work correctly.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata">https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata</A></P> <P>Two things to double check<BR /> 1. Have you restarted your instance and pumped new data? as it will work from that point onwards and NOT on already indexed data<BR /> 2. Is the event above multiline or single line? (just to ensure if the .*$ reaches the end of line at all)<BR /> 3. Can you please put a EVAL statement under the stanza of props.conf. (eg EVAL-mykey="somevalue") This will ensure if sourcetype is correct and stanza name is valid</P> Thu, 16 May 2019 14:19:03 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456755#M78939 koshyk 2019-05-16T14:19:03Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456756#M78940 <P>To answer your questions:<BR /> 1. We have restarted after each change and waited for new data to come in<BR /> 2. It is a multiline event, we tested the command via CLI and that worked but it might not work in Splunk. <BR /> 3. We are running splunk 7.0.3 i though a eval only worked from 7.1 or 7.2 and up? But i like the idea so i will try to find a way to add something to see if the sourcetype is correct.</P> <P>Thank you for you comment!</P> Fri, 17 May 2019 05:15:24 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456756#M78940 MattibergB 2019-05-17T05:15:24Z https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456757#M78941 <P>After changing the SEDCMD to the following it works, thank you for the multiline tip!<BR /> s/(?m)\/password.*$/\/password:XXXXX/g</P> Tue, 21 May 2019 08:09:56 GMT https://community.splunk.com/t5/Getting-Data-In/SEDCMD-with-winhostmon/m-p/456757#M78941 MattibergB 2019-05-21T08:09:56Z