Re: regex to mask password in props.conf

caitcait · ‎05-18-2017

I am need of help to build the regex to mask a password string looking similar to this

Password: 22222222abc222222222892222red22222222222+,

Can someone please assist?

Thank you!

rdudipala · ‎01-23-2019

It worked only for one group. thanks for help.

rdudipala · ‎01-18-2019

,Guys,

I have same issue, Used above props.conf & transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

My log looks like this
{"Username":"rdudipala2","Password":"Newusers1"}

Can someone please assist?

FrankVl · ‎01-22-2019

That REGEX only has 1 capturing group, while the FORMAT expects 2 capturing groups. That will fail to execute (and probably also throws errors in splunk's internal logs?).

sravankaripe · ‎05-18-2017

During search time replace the password with ########

https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Replace

gcusello · ‎05-18-2017

Hi caitcait,

the password showed in your example is the password to anonymize I think: in a row there is

Password: your_password,

and you want to transform into

Password:##########,

so you have to modify
props.conf

[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer

transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

see https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata

Bye.
Giuseppe

caitcait · ‎05-18-2017

Hi Giuseppe,

I'm sorry I should have clarified I'm using SEDCMD only in this case.

Thank you!

gcusello · ‎01-21-2019

Hi caitcait,
ok
try something like this in props.conf

SEDCMD-my_transformation = s/Password:[^,]/Password:\*{8}/g

for more details see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata .

Bye.
Giuseppe

rdudipala · ‎01-22-2019

thanks it worked today.

gcusello · ‎01-23-2019

If this solution answers to your question, please accept and/or upvote it.
Bye.
Giuseppe

rdudipala · ‎01-21-2019

hi Cusello,

I used both scenario vise versa but no result

Proprs.conf:-

[ABC.com]

scenario -1
TRANSFORMS-password_mask = session-anonymizer
SEDCMD-password_mask = s/Password:[^,]/Password:*{8}/g

scenario -2
TRANSFORMS-password_mask = ABC.com.com
SEDCMD-password_mask = s/Password:{\w(8)}/Password:##########\1/g

transforms.conf:-
[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

[session-anonymizer]
REGEX = (?m)^(.)Password:\s(\S+)(.)$
FORMAT = $1Password: ############$2
DEST_KEY = _raw

regex to mask password in props.conf

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

regex to mask password in props.conf

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25