https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439835#M171522 <P>I've found that the results returned from my query will hide the word being searched on regardless of if it says 'password' or not. When I use the -expandproperty option on the raw field it totally removes the word being searched for from the result set. If I don't use the -expandproperty option then it replaces my search string with a ',' comma.<BR /> Since this problem seems to be bigger than my initial question that I posed, I'm going to close this question and get the latest version of the kit from GitHub. I hope that resolves this issue.</P> <P>Regards,<BR /> M</P> Tue, 07 May 2019 11:22:08 GMT MrMalice 2019-05-07T11:22:08Z https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439833#M171520 <P>I am trying to identify if events have password info in the returned events. I can run a query using the Search app and it returns the data that I am looking for. I visually examine the_raw output listing for the word 'password'. When I execute the same query using splunk-reskit-powershell the data is returned, however, the word 'password' is replaced with a ',' comma in the _raw data listing.</P> <P>The syntax of my query is in the form of : index= sourcetype= 'password'<BR /><BR /> I use preset times when using the gui and startime and endtime when using powershell.</P> <P>Is there a way to prevent the data from being replaced in my output from the powershell query?</P> Mon, 06 May 2019 13:49:23 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439833#M171520 MrMalice 2019-05-06T13:49:23Z https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439834#M171521 <P>The editor changed the context of my example.<BR /> It should read:<BR /> The syntax of my query is in the form of : index= "index_name" sourcetype="sourcetype_name" 'password' </P> Wed, 30 Sep 2020 00:21:22 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439834#M171521 MrMalice 2020-09-30T00:21:22Z https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439835#M171522 <P>I've found that the results returned from my query will hide the word being searched on regardless of if it says 'password' or not. When I use the -expandproperty option on the raw field it totally removes the word being searched for from the result set. If I don't use the -expandproperty option then it replaces my search string with a ',' comma.<BR /> Since this problem seems to be bigger than my initial question that I posed, I'm going to close this question and get the latest version of the kit from GitHub. I hope that resolves this issue.</P> <P>Regards,<BR /> M</P> Tue, 07 May 2019 11:22:08 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439835#M171522 MrMalice 2019-05-07T11:22:08Z https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439836#M171523 <P>I was unable to determine why the results from my search didn't include the search phrase from my search.<BR /> Example: index="main" sourcetype="splunkd" "FooFoo"<BR /> In my example the results in the_raw field would return all of the events without the word FooFoo in them.</P> <P>In order to get around this anomaly I piped the predicate out to regex.<BR /> index="main" sourcetype="splunkd" | regex _raw = "FooFoo"</P> <P>This returned all events along with the word "FooFoo" present in the result set.</P> Thu, 09 May 2019 14:41:44 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-reskit-powershell-Query-Masking-Data/m-p/439836#M171523 MrMalice 2019-05-09T14:41:44Z