Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex to mask password in props.conf

caitcait
Explorer
‎05-18-2017 07:09 AM

I am need of help to build the regex to mask a password string looking similar to this

Password: 22222222abc222222222892222red22222222222+,

Can someone please assist?

Thank you!

Tags (3)
0 Karma
Reply

rdudipala
New Member
‎01-23-2019 07:28 AM

It worked only for one group. thanks for help.

0 Karma
Reply

rdudipala
New Member
‎01-18-2019 07:57 AM

,Guys,

I have same issue, Used above props.conf & transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

My log looks like this
{"Username":"rdudipala2","Password":"Newusers1"}

Can someone please assist?

0 Karma
Reply

FrankVl
Ultra Champion
‎01-22-2019 07:24 AM

That REGEX only has 1 capturing group, while the FORMAT expects 2 capturing groups. That will fail to execute (and probably also throws errors in splunk's internal logs?).

0 Karma
Reply

sravankaripe
Communicator
‎05-18-2017 07:27 AM

During search time replace the password with ########

https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Replace

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-18-2017 07:21 AM

Hi caitcait,

the password showed in your example is the password to anonymize I think: in a row there is 

Password: your_password,

and you want to transform into

Password:##########,

so you have to modify
props.conf

[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer

transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

see https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata

Bye.
Giuseppe

Reply

caitcait
Explorer
‎05-18-2017 07:27 AM

Hi Giuseppe,

I'm sorry I should have clarified I'm using SEDCMD only in this case.

Thank you!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2019 12:44 AM

Hi caitcait,
ok
try something like this in props.conf

SEDCMD-my_transformation = s/Password:[^,]/Password:\*{8}/g

for more details see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata .

Bye.
Giuseppe

0 Karma
Reply

rdudipala
New Member
‎01-22-2019 07:09 AM

thanks it worked today.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-23-2019 05:58 AM

If this solution answers to your question, please accept and/or upvote it.
Bye.
Giuseppe

0 Karma
Reply

rdudipala
New Member
‎01-21-2019 10:18 AM

hi Cusello,

I used both scenario vise versa but no result

Proprs.conf:-

[ABC.com]

scenario -1
TRANSFORMS-password_mask = session-anonymizer
SEDCMD-password_mask = s/Password:[^,]/Password:*{8}/g

scenario -2
TRANSFORMS-password_mask = ABC.com.com
SEDCMD-password_mask = s/Password:{\w(8)}/Password:##########\1/g

transforms.conf:-
[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

[session-anonymizer]
REGEX = (?m)^(.)Password:\s(\S+)(.)$
FORMAT = $1Password: ############$2
DEST_KEY = _raw

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...