- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk-reskit-powershell Query Masking Data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to identify if events have password info in the returned events. I can run a query using the Search app and it returns the data that I am looking for. I visually examine the_raw output listing for the word 'password'. When I execute the same query using splunk-reskit-powershell the data is returned, however, the word 'password' is replaced with a ',' comma in the _raw data listing.
The syntax of my query is in the form of : index= sourcetype= 'password'
I use preset times when using the gui and startime and endtime when using powershell.
Is there a way to prevent the data from being replaced in my output from the powershell query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was unable to determine why the results from my search didn't include the search phrase from my search.
Example: index="main" sourcetype="splunkd" "FooFoo"
In my example the results in the_raw field would return all of the events without the word FooFoo in them.
In order to get around this anomaly I piped the predicate out to regex.
index="main" sourcetype="splunkd" | regex _raw = "FooFoo"
This returned all events along with the word "FooFoo" present in the result set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was unable to determine why the results from my search didn't include the search phrase from my search.
Example: index="main" sourcetype="splunkd" "FooFoo"
In my example the results in the_raw field would return all of the events without the word FooFoo in them.
In order to get around this anomaly I piped the predicate out to regex.
index="main" sourcetype="splunkd" | regex _raw = "FooFoo"
This returned all events along with the word "FooFoo" present in the result set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found that the results returned from my query will hide the word being searched on regardless of if it says 'password' or not. When I use the -expandproperty option on the raw field it totally removes the word being searched for from the result set. If I don't use the -expandproperty option then it replaces my search string with a ',' comma.
Since this problem seems to be bigger than my initial question that I posed, I'm going to close this question and get the latest version of the kit from GitHub. I hope that resolves this issue.
Regards,
M
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The editor changed the context of my example.
It should read:
The syntax of my query is in the form of : index= "index_name" sourcetype="sourcetype_name" 'password'
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
