Hi,
I am trying to mask some passwords but I cannot figure out the proper props.conf (ha!) for it. It works on the fly but not when I try to set it in props.conf
this is my mask on the fly, basically just replace the password with some characters:
rex mode=sed field=ms_Mcs_AdmPwd "s/ms_Mcs_AdmPwd=(\w+)/###\2/g"\
and this is the raw data from sourcetype: ActiveDirectory
Additional Details:
msLAPS-PasswordExpirationTime=133579223312233231
ms-Mcs-AdmPwd=RlT34@iw4dasdasd
How would I do this in props.conf or transform.conf ?
Oliver
Hi @omuelle1,
you have to use the SEDCMD command in props.conf,
SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
card or social security numbers. For more information, search the online
documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw
field.
* A sed script is a space-separated list of sed commands. Currently the
following subset of sed commands is supported:
* replace (s) and character substitution (y).
* Syntax:
* replace - s/regex/replacement/flags
* regex is a perl regular expression (optionally containing capturing
groups).
* replacement is a string to replace the regex match. Use \n for back
references, where "n" is a single digit.
* flags can be either: g to replace all matches, or a number to
replace a specified match.
* substitute - y/string1/string2/
* substitutes the string1[i] with string2[i]
* No default.
as described at https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Propsconf
In your case:
[your_sourcetype]
SEDCMD = s/ms_Mcs_AdmPwd=(\w+)/###\2/g
Ciao.
Giuseppe