time: 20180227120538
... 1 line omitted ...
changetype: modify
replace: userPassword
userPassword: {1234}
Currently, I am trying under props.conf but it doesn't seem to work.
SEDCMD-masking = s/\suserPassword:\s\S+/\suserPassword:\s/################################################/
You can try a combination of props.conf and transforms.conf: https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Anonymizedata
props.conf
[<spec>]
TRANSFORMS-mask = password-masker
transforms.conf
[password-masker]
REGEX = (?m)^(.*)userPassword:\s(\S+)(.*)$
FORMAT = $1userPassword: ################################################$3
DEST_KEY = _raw
I tried the above transform and props config and it is modifying the whole event and just showing
userPassword: ################################################
Is this your full event you are trying to modify?
time: 20180227120538
... 1 line omitted ...
changetype: modify
replace: userPassword
userPassword: {1234}
It's likely having issues with the multiline format. Try the regex (?s)(.*)userPassword:\s(\S+)(.*)$
The SEDCMD is also an option which is what you are attempting. It looks like your regex may be missing for "/g" flag for replacing matches.
SEDCMD-masking = s/suserPassword:\s\S+/suserPassword:\s/################################################\1/g
You may also want to reduce the number of "#" if that isn't of importance. You don't want to necessarily make your data size larger.