masking password with rex command

moin140586 · ‎10-08-2020

hi i have a data where there are two fields with password which i need to mask via props.conf and also in the search.

the data looks like this : "this is the test message to demonstrate two fields of password abc.password=QWERTYUI and in the same line we also have another password like xyyz.password=Q%1^WRTy."

rex field=_raw mode=sed "s/abc\.password=\w+/abc.password=XXXXXXXX/g"

i was trying my luck in the search first. i cannot do the masking in single rex sed command for both the passwords . i was able to do sucessfully for first one as its not having special characters.

Regards,

Moin

gcusello · ‎10-08-2020

Hi @moin140586,

in your regex I see that you didin't escaped "=", anyway, try something like this:

| makeresults 
| eval _raw="this is the test message to demonstrate two fields of password abc.password=QWERTYUI and in the same line we also have another password like xyyz.password=Q%1^WRTy."
| rex mode=sed "s/abc\.password\=\w+.*xyyz\.password\=.*/abc\.password\=********.*xyyz\.password\=********/g"

The regex can be used also in props.conf:

SEDCMD-anonymize = s/abc\.password\=\w+.*xyyz\.password\=.*/abc\.password\=********.*xyyz\.password\=********/g

If you can share a sample of your logs I could be more precise.

Ciao.

Giuseppe

masking password with rex command

props.conf

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Are you a member of the Splunk Community?

masking password with rex command

props.conf

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk