Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Masking

uagraw01
Motivator
‎09-05-2021 09:05 AM

Hello SPlunkers!!

 

I want to mask below client secret event and for that i am using SEDCMD in props.conf. It is working fine in lab environment. But whenever i have used to deploy this changes in the production it is not working. Please guide me what i am doing wrong here9

Below i have used.( SEDCMD i am using in Props)

SEDCMD-client-secret-1=s/client_secret=([A-Za-z0-9-.%#()_]+)/client_secret=********/g

Below is my event:

grant_type=client_credentials&client_id=dcqac926-6f0f-4784-bd5f-09fa13aeb73b&client_secret=.PM8o5kUF.R562yrqahj35_Lr6F%7

 

Thanks in advance

0 Karma
Reply

uagraw01
Motivator
‎09-06-2021 02:19 AM

Please help on this as i need to make the changes as soon as possible.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-05-2021 10:01 AM

It's a bit too little information to tell what's wrong.

Are you sure you're defining this sedcmd for the right sourcetype/source?

In case of a bigger architecture than all-in-one - are you deploying it in the proper place on the event's path? (on the ingest path, not on the search-head)

Do your events in prod environment look exactly the same as your lab ones?

0 Karma
Reply

uagraw01
Motivator
‎09-05-2021 10:32 AM

@PickleRick  Yes all the sourcetype settings are correct and i am picking for correct source and my deployment across deployment slaves are also correct.

0 Karma
Reply
Get Updates on the Splunk Community!

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...