Splunk Search

Help regex for masking

mishutts
Explorer

Hi,

Can someone please help me regex a password field to mask data?

I've been trying to figure out how to mask the password in the following example;

  • npx violation-comments-to-cloud-command-line -username [email protected] -password abcdef78 -ws walace -rs ttcc-lsls -prid 1441 -v CHECKSTYLE . '.*/reports/filename-goes-here-results.xml$' ESLint -keep-old-comments true -www1 true

I've tried many variations but it either deletes the remainder of the event or doesn't work.

[password-anonymizer]
REGEX =(?m)^(-password\s).*$
FORMAT = $1########
DEST_KEY = _raw

Thanks

Labels (1)
0 Karma
1 Solution

to4kawa
Ultra Champion

related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html

 [password-anonymizer]
 REGEX = (?m)(.*-password )\w+(.*)
 FORMAT = $1#######$2
 DEST_KEY =_raw

For DEST_KEY =_raw , you should keep all text in the event by REGEX.

@richgalloway 's way or my way, As you wish.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

View solution in original post

0 Karma

to4kawa
Ultra Champion

related answer: https://answers.splunk.com/answers/824299/anonymize-data-from-json-file.html

 [password-anonymizer]
 REGEX = (?m)(.*-password )\w+(.*)
 FORMAT = $1#######$2
 DEST_KEY =_raw

For DEST_KEY =_raw , you should keep all text in the event by REGEX.

@richgalloway 's way or my way, As you wish.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

0 Karma

mishutts
Explorer

Thank you. This worked like a charm.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try using SEDCMD in your props.conf file.

[mysourcetype]
SEDCMD-maskpw = s/-password -w+/-password ########/
---
If this reply helps you, Karma would be appreciated.
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...