It worked only for one group. thanks for help.
,Guys,
I have same issue, Used above props.conf & transforms.conf
[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw
My log looks like this
{"Username":"rdudipala2","Password":"Newusers1"}
Can someone please assist?
That REGEX only has 1 capturing group, while the FORMAT expects 2 capturing groups. That will fail to execute (and probably also throws errors in splunk's internal logs?).
During search time replace the password with ########
https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Replace
Hi caitcait,
the password showed in your example is the password to anonymize I think: in a row there is
Password: your_password,
and you want to transform into
Password:##########,
so you have to modify
props.conf
[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer
transforms.conf
[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw
see https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata
Bye.
Giuseppe
Hi Giuseppe,
I'm sorry I should have clarified I'm using SEDCMD only in this case.
Thank you!
Hi caitcait,
ok
try something like this in props.conf
SEDCMD-my_transformation = s/Password:[^,]/Password:\*{8}/g
for more details see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata .
Bye.
Giuseppe
thanks it worked today.
If this solution answers to your question, please accept and/or upvote it.
Bye.
Giuseppe
hi Cusello,
I used both scenario vise versa but no result
Proprs.conf:-
[ABC.com]
scenario -1
TRANSFORMS-password_mask = session-anonymizer
SEDCMD-password_mask = s/Password:[^,]/Password:*{8}/g
scenario -2
TRANSFORMS-password_mask = ABC.com.com
SEDCMD-password_mask = s/Password:{\w(8)}/Password:##########\1/g
transforms.conf:-
[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw
[session-anonymizer]
REGEX = (?m)^(.)Password:\s(\S+)(.)$
FORMAT = $1Password: ############$2
DEST_KEY = _raw