Hello Experts,
I have been asked to hash out one occurrence of value_key from the following logs. I have tried the following in props.conf on indexer
[default]
SEDCMD-hash = s/value_key:(\S+), code_key:PASSWORD/XXXXXX/g
and restarted splunk and instead of hiding it, it deleted all the events that contained value_key. When i try the same in search i get what i want
*****15 lines *******
[value_key:xyzabcd.click.net, code_key:USER_NAME]
[value_key:**needtohidethispassword**, code_key:PASSWORD]
[value_key:BHN-1click, code_key:DOMAIN]
[value_key:46793, code_key:PORT_NUMBER]
[value_key:1.2.3.4, code_key:ISG_IP]
[value_key:ISG, code_key:type]
*****15 Lines*********
I know it has to be index time extraction only. Do i need a corresponding transforms.conf to define the class or can i acheive it solely using props.conf? if so, could you please provide syntax/tips?
Thanks,
Raghav
Hello,
could you test this :
SEDCMD-hash = s/(.value_key:)([^\,]+)(, code_key:PASSWORD.)/\1XXXXXX\3/g
I hope it will help you
I got the same result as using
SEDCMD-hash = s/value_key:(\S+), code_key:PASSWORD/XXXXXX/g. Instead of
value_key:XXXXXX, code_key:PASSWORD , it replaces the whole line with [XXXXXX]. It started to make sense as this is happening at index time before the event boundaries are marked, or i might have missed the point totally.
Appreciate your help.
Thanks,
Raghav
Do you want this to happen for all sourcetypes OR one particular sourcetype (asking as you created this entry in [default] stanza)?
I tried
[Sourcetype]
Sedcmd-xyz = s/regex/####/g and no luck.