- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Mask password in XML at index time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an XML file that looks something like this:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<update_identity_request xmlns="">
<firstName>test</firstName>
<lastName>data</lastName>
<preferredLanguage>en_US</preferredLanguage>
<password>3bcgh014</password>
<shipState>CA</shipState>
<shipCountry>USA</shipCountry>
</update_identity_request>
</updateOIMIdentity>
</soapenv:Body>
</soapenv:Envelope>
and i'm trying to mask the password. I have the following in transforms
[password-anonymizer]
REGEX = (?ms)^(.*\<password>)\w+(.*)$
FORMAT = $1##########$2
DEST_KEY = _raw
and also this in props.conf
[masks_password]
TRANSFORMS-anonymize = password-anonymizer
tested my regex in https://regex101.com/ and it seems to be working fine too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you put both these files on every indexer and then restart Splunk on each one?
Also is masks_password the sourcetype of the events that you wish to modify? If not, you need to change the string in your stanza header of props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you put both these files on every indexer and then restart Splunk on each one?
Also is masks_password the sourcetype of the events that you wish to modify? If not, you need to change the string in your stanza header of props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hadn't restarted the indexer. thanks very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello guys,
your regex works really well if you don't use alphanumeric characters. Can you help me find a regex to use with a password that contains alphanumeric characters?
Thanks in advance.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
