Splunk Search

Help regex for masking

Explorer

Hi,

Can someone please help me regex a password field to mask data?

I've been trying to figure out how to mask the password in the following example;

  • npx violation-comments-to-cloud-command-line -username JoeSmith@company.com -password abcdef78 -ws walace -rs ttcc-lsls -prid 1441 -v CHECKSTYLE . '.*/reports/filename-goes-here-results.xml$' ESLint -keep-old-comments true -www1 true

I've tried many variations but it either deletes the remainder of the event or doesn't work.

[password-anonymizer]
REGEX =(?m)^(-password\s).*$
FORMAT = $1########
DEST_KEY = _raw

Thanks

Labels (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html

 [password-anonymizer]
 REGEX = (?m)(.*-password )\w+(.*)
 FORMAT = $1#######$2
 DEST_KEY =_raw

For DEST_KEY =_raw , you should keep all text in the event by REGEX.

@richgalloway 's way or my way, As you wish.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html

 [password-anonymizer]
 REGEX = (?m)(.*-password )\w+(.*)
 FORMAT = $1#######$2
 DEST_KEY =_raw

For DEST_KEY =_raw , you should keep all text in the event by REGEX.

@richgalloway 's way or my way, As you wish.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

View solution in original post

0 Karma

Explorer

Thank you. This worked like a charm.

0 Karma

SplunkTrust
SplunkTrust

Try using SEDCMD in your props.conf file.

[mysourcetype]
SEDCMD-maskpw = s/-password -w+/-password ########/
---
If this reply helps you, an upvote would be appreciated.