https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322366#M161442 <P>Thanks @ koshyk for the insight. But I'm still having issues getting the sample data masked at index time. </P> <P>Sample data to be masked : ns2:arg name="password" value="utTSsgTST9B"/<BR /> props.conf<BR /> [password_log]<BR /> TRANSFORMS-anonymize = password-anonymizer</P> <P>transforms.conf<BR /> [password-anonymizer]<BR /> REGEX = (?m)^(.)"password"=\s\w+('[a-z0-9#])["/].)$<BR /> FORMAT = $1password=########$2<BR /> DEST_KEY = _raw</P> <P>What am i doing wrong?<BR /> Thanks<BR /> -u</P> Tue, 11 Apr 2017 06:20:53 GMT u2s1e0n2 2017-04-11T06:20:53Z https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322364#M161440 <P>I will like to mask this data so that the password value is "XXXXXXXX". I have tried SEDCMD, scrub and transforms but I just couldn't get it done. Thanks for your help</P> Mon, 10 Apr 2017 03:21:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322364#M161440 u2s1e0n2 2017-04-10T03:21:33Z https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322365#M161441 <P>Index time means you can never recover the value again. Splunk's official <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Anonymizedata" target="_blank">documentation to anonymize data</A></P> <UL> <LI>Create an app (eg my_mask_app)</LI> <LI>within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg <CODE>probable_password_sourcetype</CODE>)</LI> <LI>within "local" directory, create props.conf and put the value for the above sourcetype</LI> </UL> <P><STRONG>Example</STRONG></P> <PRE><CODE>[probable_password_sourcetype] TRANSFORMS-anonymize = password-anonymizer </CODE></PRE> <UL> <LI>Now create transforms.conf in "local" and put the regex logic. Below is a sample only</LI> </UL> <P><STRONG>Example</STRONG></P> <PRE><CODE>[password-anonymizer] REGEX = (?m)^(.*)password=\w+(\w{4}[&amp;"].*)$ FORMAT = $1password=########$2 DEST_KEY = _raw </CODE></PRE> Tue, 29 Sep 2020 13:35:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322365#M161441 koshyk 2020-09-29T13:35:20Z https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322366#M161442 <P>Thanks @ koshyk for the insight. But I'm still having issues getting the sample data masked at index time. </P> <P>Sample data to be masked : ns2:arg name="password" value="utTSsgTST9B"/<BR /> props.conf<BR /> [password_log]<BR /> TRANSFORMS-anonymize = password-anonymizer</P> <P>transforms.conf<BR /> [password-anonymizer]<BR /> REGEX = (?m)^(.)"password"=\s\w+('[a-z0-9#])["/].)$<BR /> FORMAT = $1password=########$2<BR /> DEST_KEY = _raw</P> <P>What am i doing wrong?<BR /> Thanks<BR /> -u</P> Tue, 11 Apr 2017 06:20:53 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322366#M161442 u2s1e0n2 2017-04-11T06:20:53Z https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322367#M161443 <P>Good to see a sample data. Your regex seems wrong</P> <P>Have a try below. </P> <P>[password-anonymizer]<BR /> REGEX =(?m)^(.+)\svalue=\"([\w\W]+)\"(.*)$<BR /> FORMAT = $1 value=########$3<BR /> DEST_KEY = _raw</P> Tue, 11 Apr 2017 07:55:36 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322367#M161443 koshyk 2017-04-11T07:55:36Z https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322368#M161444 <P>Thanks. It worked.</P> Tue, 11 Apr 2017 14:19:03 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322368#M161444 u2s1e0n2 2017-04-11T14:19:03Z https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322369#M161445 <P>Please mark the answer as accepted if this works for you <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 11 Apr 2017 14:39:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-mask-this-data-at-index-time/m-p/322369#M161445 DMohn 2017-04-11T14:39:55Z