Re: Masking

uagraw01 · ‎09-05-2021

Hello SPlunkers!!

I want to mask below client secret event and for that i am using SEDCMD in props.conf. It is working fine in lab environment. But whenever i have used to deploy this changes in the production it is not working. Please guide me what i am doing wrong here9

Below i have used.( SEDCMD i am using in Props)

SEDCMD-client-secret-1=s/client_secret=([A-Za-z0-9-.%#()_]+)/client_secret=********/g

Below is my event:

grant_type=client_credentials&client_id=dcqac926-6f0f-4784-bd5f-09fa13aeb73b&client_secret=.PM8o5kUF.R562yrqahj35_Lr6F%7

Thanks in advance

uagraw01 · ‎09-06-2021

Please help on this as i need to make the changes as soon as possible.

PickleRick · ‎09-05-2021

It's a bit too little information to tell what's wrong.

Are you sure you're defining this sedcmd for the right sourcetype/source?

In case of a bigger architecture than all-in-one - are you deploying it in the proper place on the event's path? (on the ingest path, not on the search-head)

Do your events in prod environment look exactly the same as your lab ones?

uagraw01 · ‎09-05-2021

@PickleRick Yes all the sourcetype settings are correct and i am picking for correct source and my deployment across deployment slaves are also correct.

Masking

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation