Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can i mask this data at index time?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will like to mask this data so that the password value is "XXXXXXXX". I have tried SEDCMD, scrub and transforms but I just couldn't get it done. Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index time means you can never recover the value again. Splunk's official documentation to anonymize data
- Create an app (eg my_mask_app)
- within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg
probable_password_sourcetype) - within "local" directory, create props.conf and put the value for the above sourcetype
Example
[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
- Now create transforms.conf in "local" and put the regex logic. Below is a sample only
Example
[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index time means you can never recover the value again. Splunk's official documentation to anonymize data
- Create an app (eg my_mask_app)
- within "local" directory, create inputs.conf and assign a good sourcetype for your dataset (eg
probable_password_sourcetype) - within "local" directory, create props.conf and put the value for the above sourcetype
Example
[probable_password_sourcetype]
TRANSFORMS-anonymize = password-anonymizer
- Now create transforms.conf in "local" and put the regex logic. Below is a sample only
Example
[password-anonymizer]
REGEX = (?m)^(.*)password=\w+(\w{4}[&"].*)$
FORMAT = $1password=########$2
DEST_KEY = _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ koshyk for the insight. But I'm still having issues getting the sample data masked at index time.
Sample data to be masked : ns2:arg name="password" value="utTSsgTST9B"/
props.conf
[password_log]
TRANSFORMS-anonymize = password-anonymizer
transforms.conf
[password-anonymizer]
REGEX = (?m)^(.)"password"=\s\w+('[a-z0-9#])["/].)$
FORMAT = $1password=########$2
DEST_KEY = _raw
What am i doing wrong?
Thanks
-u
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to see a sample data. Your regex seems wrong
Have a try below.
[password-anonymizer]
REGEX =(?m)^(.+)\svalue=\"([\w\W]+)\"(.*)$
FORMAT = $1 value=########$3
DEST_KEY = _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. It worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please mark the answer as accepted if this works for you 😉
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
