Hi,
Can someone please help me regex a password field to mask data?
I've been trying to figure out how to mask the password in the following example;
I've tried many variations but it either deletes the remainder of the event or doesn't work.
[password-anonymizer]
REGEX =(?m)^(-password\s).*$
FORMAT = $1########
DEST_KEY = _raw
Thanks
related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html
[password-anonymizer]
REGEX = (?m)(.*-password )\w+(.*)
FORMAT = $1#######$2
DEST_KEY =_raw
For DEST_KEY =_raw
, you should keep all text in the event by REGEX.
@richgalloway 's way or my way, As you wish.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html
[password-anonymizer]
REGEX = (?m)(.*-password )\w+(.*)
FORMAT = $1#######$2
DEST_KEY =_raw
For DEST_KEY =_raw
, you should keep all text in the event by REGEX.
@richgalloway 's way or my way, As you wish.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
Thank you. This worked like a charm.
Try using SEDCMD
in your props.conf file.
[mysourcetype]
SEDCMD-maskpw = s/-password -w+/-password ########/