Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help regex for masking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can someone please help me regex a password field to mask data?
I've been trying to figure out how to mask the password in the following example;
- npx violation-comments-to-cloud-command-line -username JoeSmith@company.com -password abcdef78 -ws walace -rs ttcc-lsls -prid 1441 -v CHECKSTYLE . '.*/reports/filename-goes-here-results.xml$' ESLint -keep-old-comments true -www1 true
I've tried many variations but it either deletes the remainder of the event or doesn't work.
[password-anonymizer]
REGEX =(?m)^(-password\s).*$
FORMAT = $1########
DEST_KEY = _raw
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html
[password-anonymizer]
REGEX = (?m)(.*-password )\w+(.*)
FORMAT = $1#######$2
DEST_KEY =_raw
For DEST_KEY =_raw , you should keep all text in the event by REGEX.
@richgalloway 's way or my way, As you wish.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html
[password-anonymizer]
REGEX = (?m)(.*-password )\w+(.*)
FORMAT = $1#######$2
DEST_KEY =_raw
For DEST_KEY =_raw , you should keep all text in the event by REGEX.
@richgalloway 's way or my way, As you wish.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This worked like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using SEDCMD in your props.conf file.
[mysourcetype]
SEDCMD-maskpw = s/-password -w+/-password ########/
If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
