I need to anonymize ES credentials going to syslog
I need to redact only the password and leave the user name -u admin:passsword
like -u [^:]:[^\s]
Can I use sedcmd for this .
I see samples if value of admin is fixed. Need to leave that value.
Thanks in advance.
Try this run anywhere search
| makeresults
| eval _raw="user name -u nathanpaul8:xczveffd"
| rex field=_raw mode=sed "s/(-u\s[^\:]+\:)([^\s]+)/\1XXXXX/g"
In props.conf on indexer/heavy forwarder, you need to put
[<your_sourcetype>]
SEDCMD-password = s/(-u\s[^\:]+\:)([^\s]+)/\1XXXXX/g
let me know if this helps!
Thanks to both.
Try this run anywhere search
| makeresults
| eval _raw="user name -u nathanpaul8:xczveffd"
| rex field=_raw mode=sed "s/(-u\s[^\:]+\:)([^\s]+)/\1XXXXX/g"
In props.conf on indexer/heavy forwarder, you need to put
[<your_sourcetype>]
SEDCMD-password = s/(-u\s[^\:]+\:)([^\s]+)/\1XXXXX/g
let me know if this helps!
Try this:
in props.conf on Indexer/Heavy Forwarder
[sourcetype]
SEDCMD-cc = s/(?i)(-u\s[^\:]+\:)\w+/\1xxxxxxx/g
Thanks to both. realized I am using another TRANSFORMER for the same source. . started managing splunk couple of months ago. Can I use both TRANSORMER and sedcmd?.
You can not use SEDCMD
on the source field.
have a look at https://answers.splunk.com/answers/7916/transform-to-switch-source-field-path-separator-from-to.html