Splunk Search

Help regex for masking

mishutts
Explorer

Hi,

Can someone please help me regex a password field to mask data?

I've been trying to figure out how to mask the password in the following example;

  • npx violation-comments-to-cloud-command-line -username JoeSmith@company.com -password abcdef78 -ws walace -rs ttcc-lsls -prid 1441 -v CHECKSTYLE . '.*/reports/filename-goes-here-results.xml$' ESLint -keep-old-comments true -www1 true

I've tried many variations but it either deletes the remainder of the event or doesn't work.

[password-anonymizer]
REGEX =(?m)^(-password\s).*$
FORMAT = $1########
DEST_KEY = _raw

Thanks

Labels (1)
0 Karma
1 Solution

to4kawa
Ultra Champion

related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html

 [password-anonymizer]
 REGEX = (?m)(.*-password )\w+(.*)
 FORMAT = $1#######$2
 DEST_KEY =_raw

For DEST_KEY =_raw , you should keep all text in the event by REGEX.

@richgalloway 's way or my way, As you wish.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

View solution in original post

0 Karma

to4kawa
Ultra Champion

related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html

 [password-anonymizer]
 REGEX = (?m)(.*-password )\w+(.*)
 FORMAT = $1#######$2
 DEST_KEY =_raw

For DEST_KEY =_raw , you should keep all text in the event by REGEX.

@richgalloway 's way or my way, As you wish.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

0 Karma

mishutts
Explorer

Thank you. This worked like a charm.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try using SEDCMD in your props.conf file.

[mysourcetype]
SEDCMD-maskpw = s/-password -w+/-password ########/
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...