How do you mask values using SEDCMD in payload emi...

nmohammed · ‎01-30-2019

I need help in masking data in the payload emitted in the log. The application writes logs to Windows Event logs -

Message=[2019-01-29 07:00:24,706] {1302} INFO SomeHelper::SendToDestination - {"RefId":"78c2511d-5aa6-4b92-9a50-3622d62ac1a2","Lender":{"Id":"4be018e4-de81-4142-adf0-cfa3dd923c7c","FirstName":"SomeFirstName","LastName":"SomeLastName","Quailification":false,"ID":"4be018e4-de81-4142-adf0-cfa3dd923c7c"}

I have tried the following SEDCMD in props.conf , but it masks all the fields after the "LastName" in payload in the EventLog.

SEDCMD-ananlname = s/("LastName":".*"/"LastName":"*****"/

woodcock · ‎01-30-2019

Try this to eliminate the entire section (you might as well save the license cost, too):

SEDCMD-stripLastName = s/,"LastName":"[^"]+"//

chrisyounger · ‎01-30-2019

Hi @nmohammed

This sedcmd should work better for you: SEDCMD-ananlname = s/"LastName":"[^\"]*"/"LastName":""/

The main change is that instead of using .* (which means capture everything to the end of the line) I am instead using [^\"]* (which means capture everything until you reach a double quote)

Good luck

How do you mask values using SEDCMD in payload emitted in the logs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation