Dashboards & Visualizations

Mask password in XML at index time

Path Finder

I have an XML file that looks something like this:

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <update_identity_request xmlns="">
     <firstName>test</firstName>
     <lastName>data</lastName>
     <preferredLanguage>en_US</preferredLanguage>
     <password>3bcgh014</password>
     <shipState>CA</shipState>
     <shipCountry>USA</shipCountry>
   </update_identity_request>
  </updateOIMIdentity>
 </soapenv:Body>
</soapenv:Envelope>

and i'm trying to mask the password. I have the following in transforms

[password-anonymizer]
REGEX = (?ms)^(.*\&lt;password&gt;)\w+(.*)$
FORMAT = $1##########$2
DEST_KEY = _raw

and also this in props.conf

[masks_password]
TRANSFORMS-anonymize = password-anonymizer

tested my regex in https://regex101.com/ and it seems to be working fine too.

1 Solution

Esteemed Legend

Did you put both these files on every indexer and then restart Splunk on each one?
Also is masks_password the sourcetype of the events that you wish to modify? If not, you need to change the string in your stanza header of props.conf.

View solution in original post

0 Karma

Esteemed Legend

Did you put both these files on every indexer and then restart Splunk on each one?
Also is masks_password the sourcetype of the events that you wish to modify? If not, you need to change the string in your stanza header of props.conf.

View solution in original post

0 Karma

Path Finder

hadn't restarted the indexer. thanks very much

0 Karma

Path Finder

Hello guys,

your regex works really well if you don't use alphanumeric characters. Can you help me find a regex to use with a password that contains alphanumeric characters?

Thanks in advance.

0 Karma