I have an XML file that looks something like this:
<?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <update_identity_request xmlns=""> <firstName>test</firstName> <lastName>data</lastName> <preferredLanguage>en_US</preferredLanguage> <password>3bcgh014</password> <shipState>CA</shipState> <shipCountry>USA</shipCountry> </update_identity_request> </updateOIMIdentity> </soapenv:Body> </soapenv:Envelope>
and i'm trying to mask the password. I have the following in transforms
[password-anonymizer] REGEX = (?ms)^(.*\<password>)\w+(.*)$ FORMAT = $1##########$2 DEST_KEY = _raw
and also this in props.conf
[masks_password] TRANSFORMS-anonymize = password-anonymizer
tested my regex in https://regex101.com/ and it seems to be working fine too.
Did you put both these files on every
indexer and then restart Splunk on each one?
sourcetype of the events that you wish to modify? If not, you need to change the string in your stanza header of
your regex works really well if you don't use alphanumeric characters. Can you help me find a regex to use with a password that contains alphanumeric characters?
Thanks in advance.