Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Mask a field in props.conf

omuelle1
Communicator
‎03-19-2024 07:15 AM

Hi,

I am trying to mask some passwords but I cannot figure out the proper props.conf (ha!) for it. It works on the fly but not when I try to set it in props.conf

this is my mask on the fly, basically just replace the password with some characters:

rex mode=sed field=ms_Mcs_AdmPwd "s/ms_Mcs_AdmPwd=(\w+)/###\2/g"\

 

and this is the raw data from sourcetype: ActiveDirectory

Additional Details:

                                  msLAPS-PasswordExpirationTime=133579223312233231

                                  ms-Mcs-AdmPwd=RlT34@iw4dasdasd

 

How would I do this in props.conf or transform.conf ?

 

Oliver

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-19-2024 07:35 AM

Hi @omuelle1,

you have to use the SEDCMD command in props.conf,

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]
* No default.

as described at https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Propsconf

In your case:

[your_sourcetype]
SEDCMD = s/ms_Mcs_AdmPwd=(\w+)/###\2/g

Ciao.

Giuseppe

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...