Hi,
I have json data to be parsed and there is a field "password" which needs to be masked at index time. Following the wiki page https://wiki.splunk.com/Community:How_to_mask_strings_in_json_event_at_Indexing_time_when_using_INDEXED_EXTRACTION I am able to mask the _raw but the field still shows plain text.
Here's is my props and transforms and screenshot from search head:
** props.conf **
test_json_passwordINDEXED_EXTRACTIONS = json
TIMESTAMP_FIELDS = @timestamp
SEDCMD-mask_password_raw = s/\S+( - password)/"######\1/
TRANSFORMS-mask_json_password = mask_json_password_meta
KV_MODE = none
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true
** transforms.conf **
[mask_json_password_meta]
SOURCE_KEY = _meta
DEST_KEY = _meta
REGEX = ^(.message[tT]ext::)\S+ - password" (.)
FORMAT = $1"###### - password" $2
WRITE_META = false
** Sample Data **
{
"username" : "my_username",
"password" : "my_password - password",
"validation-factors" : {
"validationFactors" : [
{
"name" : "remote_address",
"value" : "127.0.0.1"
}
]
},
"@timestamp": "2018-01-05T14:56:29.000Z",
"attributes": {
"field_1": "value_1",
"field_2": "value_2",
"field_3": "value_3"
}
}
1) Masked data in raw event
2) Clear password visible in password field
... View more