Hi,
I am trying to mask dataat index time, can you please help ?
First line is a result and second is what i would like to be.
Thx
"authenticationValue":"AAcBBGJxFAAAAZZANIJZdQAAAAA=" Result
"authenticationValue":"****************************"
Hi,
props are properly placed.
In search also nothing is changed.
Thank you for your effort .
Hi @egcp,
you can follow the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
You have two methods:
Using SEDCMD, you have to put in your props.conf:
[your_sourcetype]
SEDCMD-xxx = s/"authenticationValue":"\w+"/"authenticationValue":"****************************"/g
Using props.conf and transforms.conf:
props.conf:
[your_sourcetype]
TRANSFORMS-anonym,izer = session-anonymizer
transforms.conf:
[session-anonymizer]
REGEX = \"authenticationValue\":\"(\w+\)\"
FORMAT = \"authenticationValue\":\"(**********)\"
DEST_KEY = _raw
there also some videos to teach about this topic in YouTube Splunk channel.
Ciao.
Giuseppe
Hi,
Tried both options , but nothing change in log.
Hi @egcp,
the first check to perform is on the regex: use the "regex" command to check if the regex is correct
<your_search>
| rex mode=sed "SEDCMD-xxx = s/"authenticationValue":"\w+"/"authenticationValue":"****************************"/g"
then, where is this props.conf?
it must be located on the indexers or (if present) on Heavy Forwarders.
Ciao.
Giuseppe