Getting Data In

How to write a regex to match two types of password in logs?

Hemnaath
Motivator

Hi Team,

How to write a regex to capture this two password from the logs ?

Eg:  😧 [20200527-144244] login login: cf_db_password=weblogic

        😧 [20200527-144244] login login: password=weblogic_test

        😧 [20200527-134842] login login: cf.db.password.hms=test_weblogic

 

password\.?\=([^\s]+) --> Using this regex I was able to capture the first two logs pattern.  

password\.?\w+?\=([^\s]+)  --> Using this regex I was able to capture "D: [20200527-134842] login login: cf.db.password.hms=test_weblogic" 

 

Question is how to write a regex pattern to capture all the password pattern from the above example.  

 

 

Labels (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi Hemnaath,

Little improvisation to satisfy your requirement. You can use following in props.conf using SEDCMD .

 

s/password(|\.?\w+?)\=([^\s]+)/password\1=XXXXX/g

 

Output:

[20200527-144244] login login: cf_db_password=XXXXX
[20200527-144244] login login: password=XXXXX
[20200527-134842] login login: cf.db.password.hms=XXXXX

----

Please upvote if this helps!

Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
password(|\.?\w+?)\=([^\s]+)
0 Karma

Hemnaath
Motivator

when I use this regex password(|\.?\w+?)\=([^\s]+)  it is capturing the password details but in the Group1 it is capturing the part of the password. 

password=weblogic

Fullmatch=password=weblogic

Group1= emty space

Group2=weblogic


cf_db_password=weblogic_test

Fullmatch=password=weblogic_test

Group1= empty space

Group2=weblogic_test


cf.db.password.hms=hms_weblogic

Fullmatch=password.hms=hms_weblogic

Group1 = hms

Group2=hms_weblogic

I need to capture only the password=hms_weblogic, password=weblogic so that I can mask  the password using SEDCMD in props.conf file.

so i need a regex which can capture the password=xxxx.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...