Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can you help props.conf to break the event and mas...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
04-01-2019
01:53 PM
I have the below sample event
{"timestamp": 1553559218742, "message": "(0133108c-4f5c-11e9-82ca-1b5bad0211a1) Method request path: {serverId=s-2f9b4670b10148058, username=mike}", "ingestionTime": 1553559219615}, {"timestamp": 1553559218742, "message": "(0133108c-4f5c-11e9-82ca-1b5bad0211a1) Method request query string: {}", "ingestionTime": 1553559219615},{"timestamp": 1553559218743, "message": "(0133108c-4f5c-11e9-82ca-1b5bad0211a1) Endpoint request body after transformations: {\n \"username\": \"mike\",\n \"password\": \"mike\",\n \"serverId\": \"s-2f9b4670b10148058\"\n}\n", "ingestionTime": 1553559219615}, {"timestamp": 1553559218743, "message": "(0133108c-4f5c-11e9-82ca-1b5bad0211a1) Sending request to https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:114086737623:fu..., "ingestionTime": 1553559219615}
- I am trying to break the event after the ingestion time, like below
{"timestamp": 1553559218742, "message": "(0133108c-4f5c-11e9-82ca-1b5bad0211a1) Method request path: {serverId=s-2f9b4670b10148058, username=mike}", "ingestionTime": 1553559219615}
2. In some of the events, the user name has a password in it, and I want to mask that one .Below is the sample event:
{"timestamp": 1553559218743, "message": "(0133108c-4f5c-11e9-82ca-1b5bad0211a1) Endpoint request body after transformations: {\n \"username\": \"mike\",\n **\"password\": \"mike\"**,\n \"serverId\": \"s-2f9b4670b10148058\"\n}\n", "ingestionTime": 1553559219615}
Thanks In advance !
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-01-2019
02:42 PM
Give this a try
[YourSourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=(\{\"timestamp\")
TIME_PREFIX=^\:\s+
TIME_FORMAT = %s%N
# line breaker actually remove timestamp, so putting it back
SEDCMD-header=s/^/{"timemstamp"/
#masking password
SEDCMD-passwordmask=s/(\"password[^\"]+\"[^\"]+)(\"[^\"]+\")/\1"##MASKED##"/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-01-2019
02:42 PM
Give this a try
[YourSourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=(\{\"timestamp\")
TIME_PREFIX=^\:\s+
TIME_FORMAT = %s%N
# line breaker actually remove timestamp, so putting it back
SEDCMD-header=s/^/{"timemstamp"/
#masking password
SEDCMD-passwordmask=s/(\"password[^\"]+\"[^\"]+)(\"[^\"]+\")/\1"##MASKED##"/
Get Updates on the Splunk Community!
Introducing the Splunk Community Dashboard Challenge!
Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
