Re: Need to change the value of field using sed

Vignesh-107 · ‎03-19-2021

I want to replace the values of alertnateId and displayName to "****", I tried with below sed command but its not changing the the whole value.

index=sample
| rex mode=sed "s/(\"alternateId\"\:\s+\")(\w+)/\1****\"/g"
| rex mode=sed "s/(\"displayName\"\:\s+\")(\w+\W)/\1****\"/g"

_raw data:
{"logs_id": "4890d36f-5ee3-11eb-b3a5-852911ef9cd4", "securityContext": { "alternateId": "****"@Anonymous.com", "id": "ramxghl092", "displayName": "****"System"},

Expected is to get

{"logs_id": "4890d36f-5ee3-11eb-b3a5-852911ef9cd4", "securityContext": { "alternateId": "****", "id": "ramxghl092", "displayName": "****"},

KailA · ‎03-19-2021

Hello,

I guess that you don't have the "****" in the raw data so I did this example for you :

| makeresults 
| eval test = "{\"logs_id\": \"4890d36f-5ee3-11eb-b3a5-852911ef9cd4\", \"securityContext\": { \"alternateId\": \"test.test@gmail.com\", \"id\": \"ramxghl092\", \"displayName\": \"testSystem\"},"
| rex field=test mode=sed "s/(\"alternateId\":\s+\")([^\"]+)/\1****/g"
| rex field=test mode=sed "s/(\"displayName\"\:\s+\")([^\"]+)/\1****/g"

It will match everything till the quotation mark

Let me know if it helps you 🙂

to4kawa · ‎03-19-2021

index=_internal | head 1 | fields _raw
| eval _raw="{\"logs_id\": \"4890d36f-5ee3-11eb-b3a5-852911ef9cd4\", \"securityContext\": { \"alternateId\": \"****@gmail.com\", \"id\": \"ramxghl092\", \"displayName\": \"****System\"},"
| rex mode=sed "s/((alternateId|displayName)\":\s*)\".*?\"/\1\"*****\"/g"

Need to change the value of field using sed

rex

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!