Getting Data In

Apply SEDCMD to mutli line events in props.conf with recurring field values

Raghav2384
Motivator

Hello Experts,

I have been asked to hash out one occurrence of value_key from the following logs. I have tried the following in props.conf on indexer

[default]
SEDCMD-hash = s/value_key:(\S+), code_key:PASSWORD/XXXXXX/g

and restarted splunk and instead of hiding it, it deleted all the events that contained value_key. When i try the same in search i get what i want

*****15 lines *******
[value_key:xyzabcd.click.net, code_key:USER_NAME]
        [value_key:**needtohidethispassword**, code_key:PASSWORD]
        [value_key:BHN-1click, code_key:DOMAIN]
        [value_key:46793, code_key:PORT_NUMBER]
        [value_key:1.2.3.4, code_key:ISG_IP]
        [value_key:ISG, code_key:type]
*****15 Lines*********

I know it has to be index time extraction only. Do i need a corresponding transforms.conf to define the class or can i acheive it solely using props.conf? if so, could you please provide syntax/tips?

Thanks,
Raghav

Tags (2)
0 Karma

ludoz13
Path Finder

Hello,

could you test this :

SEDCMD-hash = s/(.value_key:)([^\,]+)(, code_key:PASSWORD.)/\1XXXXXX\3/g

I hope it will help you

Raghav2384
Motivator

I got the same result as using

SEDCMD-hash = s/value_key:(\S+), code_key:PASSWORD/XXXXXX/g. Instead of

value_key:XXXXXX, code_key:PASSWORD , it replaces the whole line with [XXXXXX]. It started to make sense as this is happening at index time before the event boundaries are marked, or i might have missed the point totally.

Appreciate your help.
Thanks,
Raghav

0 Karma

somesoni2
Revered Legend

Do you want this to happen for all sourcetypes OR one particular sourcetype (asking as you created this entry in [default] stanza)?

Raghav2384
Motivator

I tried
[Sourcetype]
Sedcmd-xyz = s/regex/####/g and no luck.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.