https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708197#M239498 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/264857">@kiran_panchavat</a>&nbsp;. your solution works great.</P> Tue, 07 Jan 2025 18:54:36 GMT dwangfeng 2025-01-07T18:54:36Z https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708163#M239485 <P>Here is my raw data in the splunk query</P><P><SPAN>&lt;s:Envelope xmlns:s="<A href="http://schemas.xmlsoap.org/soap/envelope/" target="_blank" rel="noopener">http://schemas.xmlsoap.org/soap/envelope/</A>"&gt; &lt;s:Body xmlns:xsi="<A href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" rel="noopener">http://www.w3.org/2001/XMLSchema-instance</A>" xmlns:xsd="<A href="http://www.w3.org/2001/XMLSchema" target="_blank" rel="noopener">http://www.w3.org/2001/XMLSchema</A>"&gt; &lt;application xmlns="<A href="http://www.abc.com/services/listService" target="_blank" rel="noopener">http://www.abc.com/services/listService</A>"&gt; &lt;header&gt; &lt;user&gt;def@ghi.com&lt;/user&gt; &lt;password&gt;al3yu2430nald&lt;/password&gt;</SPAN></P><P>&nbsp;</P><P><SPAN>If I want to mask the password value and show in the splunk output as:<BR />&lt;s:Envelope xmlns:s="<A href="http://schemas.xmlsoap.org/soap/envelope/" target="_blank" rel="noopener">http://schemas.xmlsoap.org/soap/envelope/</A>"&gt; &lt;s:Body xmlns:xsi="<A href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" rel="noopener">http://www.w3.org/2001/XMLSchema-instance</A>" xmlns:xsd="<A href="http://www.w3.org/2001/XMLSchema" target="_blank" rel="noopener">http://www.w3.org/2001/XMLSchema</A>"&gt; &lt;application xmlns="<A href="http://www.abc.com/services/listService" target="_blank" rel="noopener">http://www.abc.com/services/listService</A>"&gt; &lt;header&gt; &lt;user&gt;def@ghi.com&lt;/user&gt; &lt;password&gt;xxxxxxxxxxxx&lt;/password&gt;<BR /></SPAN></P><P><SPAN>How can I do that?</SPAN></P> Tue, 07 Jan 2025 16:45:29 GMT https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708163#M239485 dwangfeng 2025-01-07T16:45:29Z https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708188#M239492 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/77444">@dwangfeng</a>&nbsp;Can you try this&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_0-1736276074956.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34053i911283EA1E3FAF19/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_0-1736276074956.png" alt="kiran_panchavat_0-1736276074956.png" /></span></P><P>&nbsp;</P><P>I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.</P><P>Please, don't forget to accept this solution if it fits your needs.</P> Tue, 07 Jan 2025 18:54:45 GMT https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708188#M239492 kiran_panchavat 2025-01-07T18:54:45Z https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708189#M239493 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/77444">@dwangfeng</a>&nbsp;</P><P>index="yourindex" sourcetype="yoursourcetype"<BR />| rex mode=sed "s/&lt;password&gt;[^&lt;]+&lt;\/password&gt;/&lt;password&gt;xxxxxxxxxxxx&lt;\/password&gt;/g"</P><P>I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.</P><P>Please, don't forget to accept this solution if it fits your needs.</P> Tue, 07 Jan 2025 18:23:45 GMT https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708189#M239493 kiran_panchavat 2025-01-07T18:23:45Z https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708196#M239497 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/77444">@dwangfeng</a>&nbsp;</P><P>Apply this props.conf&nbsp;</P><P>[&lt;sourcetype&gt;]<BR />SEDCMD-splunktestdata = s/(?i)(&lt;password&gt;)[^&lt;]+(&lt;\/password&gt;)/\1xxxxxxxxxxxx\2/g</P> Tue, 07 Jan 2025 18:53:34 GMT https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708196#M239497 kiran_panchavat 2025-01-07T18:53:34Z https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708197#M239498 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/264857">@kiran_panchavat</a>&nbsp;. your solution works great.</P> Tue, 07 Jan 2025 18:54:36 GMT https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708197#M239498 dwangfeng 2025-01-07T18:54:36Z https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708286#M239532 <P>Hi</P><P>even you can mask that data in GUI, it didn't mean that you have really masked that data in Splunk. You must remember that after you have write it into bucket then it there and there is always a way to get it out in plain text if/when you have access to GUI and can write SPL. Even you are using search time props.conf and transforms.conf.</P><P>The only way is remove that data from index and reindex it again. And even the delete command is not enough if you have access to buckets on CLI level, you could get thet data back. The only way is let it go away with set frozen time enough low, then wait and then reindex it.</P><P>r. Ismo</P> Wed, 08 Jan 2025 18:16:10 GMT https://community.splunk.com/t5/Splunk-Search/Replace-raw-data-for-the-matched-string-pattern-in-a-multiple/m-p/708286#M239532 isoutamo 2025-01-08T18:16:10Z