Removal of the confidential data


Hello Splunkers!!

Below are the sample events I have in which I want to mask UserID field and Password field. There is no selected & interesting field is availble. I want to mask it from the raw event directly. Please suggest me solution from the UI by using rex mode command and second solution  by using the Props & transforms.conf from the backend .


Sample log:
<?xml version="1.0" encoding="UTF-8"?>
<HostMessage><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="no"?><UserMasterRequest><MessageID>25255620</MessageID><MessageCreated>2024-04-05T07:00:55Z</MessageCreated><OpCode>CHANGEPWD</OpCode><UserId>pnkof123</UserId><Password>Summer123</Password><PasswordExpiry>2024-06-09</PasswordExpiry></UserMasterRequest>]]><original_header><IfcLogHostMessage xsi:schemaLocation=" GtwLogging_V1.0.0.xsd">
Labels (1)
0 Karma


@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI.

| rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g"
| rex field=_raw mode=sed "s/UserId\>([A-Za-z0-9]+)/UserID/g"

One question, shall I apply in the same regex in transforms.conf ?

0 Karma


Hi @uagraw01,

You can also use Ingest Actions on UI.


If this reply helps you an upvote and "Accept as Solution" is appreciated.


rex has a mode option which can be set to sed to allow for edits to strings

rex - Splunk Documentation

props.conf has SEDCMD- stanzas which can do the editing before indexing

props.conf - Splunk Documentation

Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...