Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk-reskit-powershell Query Masking Data

MrMalice
Explorer
‎05-06-2019 06:49 AM

I am trying to identify if events have password info in the returned events. I can run a query using the Search app and it returns the data that I am looking for. I visually examine the_raw output listing for the word 'password'. When I execute the same query using splunk-reskit-powershell the data is returned, however, the word 'password' is replaced with a ',' comma in the _raw data listing.

The syntax of my query is in the form of : index= sourcetype= 'password'

I use preset times when using the gui and startime and endtime when using powershell.

Is there a way to prevent the data from being replaced in my output from the powershell query?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MrMalice
Explorer
‎05-09-2019 07:41 AM

I was unable to determine why the results from my search didn't include the search phrase from my search.
Example: index="main" sourcetype="splunkd" "FooFoo"
In my example the results in the_raw field would return all of the events without the word FooFoo in them.

In order to get around this anomaly I piped the predicate out to regex.
index="main" sourcetype="splunkd" | regex _raw = "FooFoo"

This returned all events along with the word "FooFoo" present in the result set.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MrMalice
Explorer
‎05-09-2019 07:41 AM

I was unable to determine why the results from my search didn't include the search phrase from my search.
Example: index="main" sourcetype="splunkd" "FooFoo"
In my example the results in the_raw field would return all of the events without the word FooFoo in them.

In order to get around this anomaly I piped the predicate out to regex.
index="main" sourcetype="splunkd" | regex _raw = "FooFoo"

This returned all events along with the word "FooFoo" present in the result set.

0 Karma
Reply
Solved! Jump to solution

MrMalice
Explorer
‎05-07-2019 04:22 AM

I've found that the results returned from my query will hide the word being searched on regardless of if it says 'password' or not. When I use the -expandproperty option on the raw field it totally removes the word being searched for from the result set. If I don't use the -expandproperty option then it replaces my search string with a ',' comma.
Since this problem seems to be bigger than my initial question that I posed, I'm going to close this question and get the latest version of the kit from GitHub. I hope that resolves this issue.

Regards,
M

0 Karma
Reply
Solved! Jump to solution

MrMalice
Explorer
‎05-06-2019 06:55 AM

The editor changed the context of my example.
It should read:
The syntax of my query is in the form of : index= "index_name" sourcetype="sourcetype_name" 'password'

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...