We are trying to mask some data from winhostmon using SEDCMD.
The sample data sourcetype=WinHostMon source=process :
Type=Process
Name="wfcrun32.exe"
ProcessId=1
CommandLine="C:\PROGRAM FILES (X86)\Test\test.EXE" /h0 "C:\Program Files (x86)\Test2\test2.test" /username:"Test" /domain:AD /password:"test"
StartTime="20170516135737.278912+120"
Host="test-test2-test3"
Path="C:\PROGRAM FILES (X86)\Test\test.EXE"
Props:
[WinHostMon]
SEDCMD-anonymize=s/\/password.*$/\/password:XXXXX/g
The issue is that it is not masking the data, i have tried sourcetype,source and host on the indexer but still its not masking.
If i upload a test file with data using the add data option i am able to mask the data using the SEDCMD, same goes for a file with a static sourcetype.
My guess is that the source/sourcetype is not correct because of the way Splunk identifies the data at indexing/parsing.
Does anyone have an idea how i can mask the data at indexing time?
The data is being send from a universal forwarder to our indexers so it is not passing through a heavy forwarder.
... View more