Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: SEDCMD with winhostmon
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to mask some data from winhostmon using SEDCMD.
The sample data sourcetype=WinHostMon source=process :
Type=Process
Name="wfcrun32.exe"
ProcessId=1
CommandLine="C:\PROGRAM FILES (X86)\Test\test.EXE" /h0 "C:\Program Files (x86)\Test2\test2.test" /username:"Test" /domain:AD /password:"test"
StartTime="20170516135737.278912+120"
Host="test-test2-test3"
Path="C:\PROGRAM FILES (X86)\Test\test.EXE"
Props:
[WinHostMon]
SEDCMD-anonymize=s/\/password.*$/\/password:XXXXX/g
The issue is that it is not masking the data, i have tried sourcetype,source and host on the indexer but still its not masking.
If i upload a test file with data using the add data option i am able to mask the data using the SEDCMD, same goes for a file with a static sourcetype.
My guess is that the source/sourcetype is not correct because of the way Splunk identifies the data at indexing/parsing.
Does anyone have an idea how i can mask the data at indexing time?
The data is being send from a universal forwarder to our indexers so it is not passing through a heavy forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your logic should work correctly.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata
Two things to double check
1. Have you restarted your instance and pumped new data? as it will work from that point onwards and NOT on already indexed data
2. Is the event above multiline or single line? (just to ensure if the .*$ reaches the end of line at all)
3. Can you please put a EVAL statement under the stanza of props.conf. (eg EVAL-mykey="somevalue") This will ensure if sourcetype is correct and stanza name is valid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your logic should work correctly.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata
Two things to double check
1. Have you restarted your instance and pumped new data? as it will work from that point onwards and NOT on already indexed data
2. Is the event above multiline or single line? (just to ensure if the .*$ reaches the end of line at all)
3. Can you please put a EVAL statement under the stanza of props.conf. (eg EVAL-mykey="somevalue") This will ensure if sourcetype is correct and stanza name is valid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To answer your questions:
1. We have restarted after each change and waited for new data to come in
2. It is a multiline event, we tested the command via CLI and that worked but it might not work in Splunk.
3. We are running splunk 7.0.3 i though a eval only worked from 7.1 or 7.2 and up? But i like the idea so i will try to find a way to add something to see if the sourcetype is correct.
Thank you for you comment!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After changing the SEDCMD to the following it works, thank you for the multiline tip!
s/(?m)\/password.*$/\/password:XXXXX/g
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
