Getting Data In

How do I mask a pattern using sedcmd in props.conf?

prakash007
Builder

How do I replace/mask the pattern below in props.conf..?

pattern
\"password\":\"passtest@123\"

expecting  
\"password\":\"masked\"
0 Karma
1 Solution

sundareshr
Legend

Try this (assuming the backslashes are part of the log)

s/\\("password\\":\\")([^\\]+)(\\")/$1masked$3/g

View solution in original post

0 Karma

prakash007
Builder

my original data is
id=A123 clientid:123456 SSLR

need to mask 123456
I used
s/(clientid\W)(\d+)(\s\w\w\w\w)/$1masked$3/g

you can try this....

"s/clientid:(\d+)/clientid:xxxxxx/g"

OUTPUT : id=A128 clientid:xxxxxx SSLR

"s/clientid\:(\d+)\s\S+/xxxxxx/g"

OUTPUT :  id=A128 xxxxxx
0 Karma

sundareshr
Legend

Try this (assuming the backslashes are part of the log)

s/\\("password\\":\\")([^\\]+)(\\")/$1masked$3/g
0 Karma

prakash007
Builder

Thanks it worked...just for my understanding..why do we use $1 and $3 in there..?

0 Karma

sundareshr
Legend

The original data is captured in 3 groups. The first group ($1) has \"password\":\" the second group has the password and the third group has \". $1masked$2, basically means use whatever is captured in group 1 followed by "masked" followed by whatever is captured in group 3

0 Karma

ankithreddy777
Contributor

For me it is not working. The output raw event is printed as $1masked$3.

0 Karma

sbbadri
Motivator

try this . In above use case backslash is present before and after password

s/(\"password\":\")(\S+.*)(\")/$1xxxxxxx$3/g

0 Karma

ankithreddy777
Contributor

my original data is
id=A123 clientid:123456 SSLR

need to mask 123456
I used
s/(clientid\W)(\d+)(\s\w\w\w\w)/$1masked$3/g

my output
id=A123 $1masked$3

0 Karma

prakash007
Builder

Is this the output you are expecting...??

id=A123 clientid:xxxxxx SSLR

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...