How to write a regex to match two types of passwor...

Hemnaath · ‎09-10-2020

Hi Team,

How to write a regex to capture this two password from the logs ?

Eg: 😧 [20200527-144244] login login: cf_db_password=weblogic

😧 [20200527-144244] login login: password=weblogic_test

😧 [20200527-134842] login login: cf.db.password.hms=test_weblogic

password\.?\=([^\s]+) --> Using this regex I was able to capture the first two logs pattern.

password\.?\w+?\=([^\s]+) --> Using this regex I was able to capture "D: [20200527-134842] login login: cf.db.password.hms=test_weblogic"

Question is how to write a regex pattern to capture all the password pattern from the above example.

venkatasri · ‎09-10-2020

Hi Hemnaath,

Little improvisation to satisfy your requirement. You can use following in props.conf using SEDCMD .

s/password(|\.?\w+?)\=([^\s]+)/password\1=XXXXX/g

Output:

[20200527-144244] login login: cf_db_password=XXXXX
[20200527-144244] login login: password=XXXXX
[20200527-134842] login login: cf.db.password.hms=XXXXX

----

Please upvote if this helps!

ITWhisperer · ‎09-10-2020

password(|\.?\w+?)\=([^\s]+)

Hemnaath · ‎09-10-2020

when I use this regex password(|\.?\w+?)\=([^\s]+) it is capturing the password details but in the Group1 it is capturing the part of the password.

password=weblogic

Fullmatch=password=weblogic

Group1= emty space

Group2=weblogic

cf_db_password=weblogic_test

Fullmatch=password=weblogic_test

Group1= empty space

Group2=weblogic_test

cf.db.password.hms=hms_weblogic

Fullmatch=password.hms=hms_weblogic

Group1 = hms

Group2=hms_weblogic

I need to capture only the password=hms_weblogic, password=weblogic so that I can mask the password using SEDCMD in props.conf file.

so i need a regex which can capture the password=xxxx.

How to write a regex to match two types of password in logs?

field extraction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?