Getting Data In

How do I mask a pattern using sedcmd in props.conf?

prakash007
Builder

How do I replace/mask the pattern below in props.conf..?

pattern
\"password\":\"passtest@123\"

expecting  
\"password\":\"masked\"
0 Karma
1 Solution

sundareshr
Legend

Try this (assuming the backslashes are part of the log)

s/\\("password\\":\\")([^\\]+)(\\")/$1masked$3/g

View solution in original post

0 Karma

prakash007
Builder

my original data is
id=A123 clientid:123456 SSLR

need to mask 123456
I used
s/(clientid\W)(\d+)(\s\w\w\w\w)/$1masked$3/g

you can try this....

"s/clientid:(\d+)/clientid:xxxxxx/g"

OUTPUT : id=A128 clientid:xxxxxx SSLR

"s/clientid\:(\d+)\s\S+/xxxxxx/g"

OUTPUT :  id=A128 xxxxxx
0 Karma

sundareshr
Legend

Try this (assuming the backslashes are part of the log)

s/\\("password\\":\\")([^\\]+)(\\")/$1masked$3/g
0 Karma

prakash007
Builder

Thanks it worked...just for my understanding..why do we use $1 and $3 in there..?

0 Karma

sundareshr
Legend

The original data is captured in 3 groups. The first group ($1) has \"password\":\" the second group has the password and the third group has \". $1masked$2, basically means use whatever is captured in group 1 followed by "masked" followed by whatever is captured in group 3

0 Karma

ankithreddy777
Contributor

For me it is not working. The output raw event is printed as $1masked$3.

0 Karma

sbbadri
Motivator

try this . In above use case backslash is present before and after password

s/(\"password\":\")(\S+.*)(\")/$1xxxxxxx$3/g

0 Karma

ankithreddy777
Contributor

my original data is
id=A123 clientid:123456 SSLR

need to mask 123456
I used
s/(clientid\W)(\d+)(\s\w\w\w\w)/$1masked$3/g

my output
id=A123 $1masked$3

0 Karma

prakash007
Builder

Is this the output you are expecting...??

id=A123 clientid:xxxxxx SSLR

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...