topic Re: SED command on props in Splunk Search

SED command on props

ranjitbrhm1 — Sun, 04 Nov 2018 06:29:16 GMT

Good Day all. I am trying to replace a last name using SED command on my props.
my data looks like below.
asdfa asdf first last asdf
asdf asdf first last asdf
asdf asdf first last asdf

My props looks like below

[mymask]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
SEDCMD-ranjit=s/\w+\s\w+\s(\w+\s)\w+/\1XXXXXXXX/g

When i upload the data into splunk my data is looking like below

first XXXXXXXX asdf
first XXXXXXXX asdf
first XXXXXXXX asdf

So basically it replaced the entire data before the pattern with the capture group and the modification which is the XXXX. i could capture the whole data as a capture group and replace them but i am looking for options where i can just replace the capture group with the modification.
so that my data looks like

asdf asdf first XXXXX asdf

Re: SED command on props

sduff_splunk — Sun, 04 Nov 2018 10:16:40 GMT

Can you post a better example of your data, your sample tells us nothing about the data and what you are attempting to replace. If we could see more, we could suggest a better SED expression for you to use.

Re: SED command on props

cpetterborg — Sun, 04 Nov 2018 18:31:20 GMT

There are several things wrong with the SEDCMD. Try:

SEDCMD-ranjit=s/^(\w+\s\w+\s\w+\s)(\w+)/\1XXXXXXXX/g

That should do what you want.

Re: SED command on props

FrankVl — Mon, 05 Nov 2018 08:19:59 GMT

@ranjitbrhm1 as mentioned on Slack, if it is indeed always the 4th word that needs to be masked, this should do the trick.