Hi
I am trying to transform a couple of strings that are being capture in my Splunk logs
The string are similar to this
{"Key":"Authorization","Value":["Basic EAAAALhzFAxssvST1j4jBCAynyb3F9kHsHFWvijwNkuBb3pnY0zFtrz61YPlxQkP73l9p9ZusdBBfjSrDXgueEipT8xUuRk3tFPIAnmwFbGxluvRa3szorgtEq6VDXuIZL9RgA=="]},{"Key":"Authorization-Token","Value":["BCDC62F494410A7ABAE80457C9566F37"]}]
I have tested the following regex expressions with a couple of tools, and they seem to match
"Authorization","Value":\["(Basic)\s[a-zA-Z0-9+\/]+={0,2}"
"Authorization-Token","Value":\["[a-zA-Z0-9+]+"
I have the following in my $SPLUNK_HOME/etc/system/local/props.conf file
[someapp]
TRANSFORMS-anonymize = authorization-anonymizer, authorization-token-anonymizer
And the following in my $SPLUNK_HOME/etc/system/local/transforms.conf file
`[authorization-anonymizer]
REGEX = "Authorization","Value":["(Basic)\s[a-zA-Z0-9+\/]+={0,2}"
FORMAT = $1"Value":["Basic ##############################################################################################################################$2 DEST_KEY = _raw
[authorization-token-anonymizer]
REGEX= "Authorization-Token","Value":["[a-zA-Z0-9+]+"
FORMAT = $1"Value":["############################$2
DEST_KEY = _raw`
The intention is to replace the strings with # characters, but I clearly have misunderstood something, as the strings are not changing
Could anyone help at all ?
Thanks
_scott
... View more