https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238540#M46330 <P>This Splunk doc should get you started.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles</A></P> Wed, 09 Mar 2016 18:05:06 GMT somesoni2 2016-03-09T18:05:06Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238539#M46329 <P>Hey,<BR /> I am running a local instance of splunk for testing purposes. The aim is toAnonymize certain parts of the data that can be searched.<BR /> In my files there were no props.conf or transforms.conf so I created these two files in this folder</P> <P><STRONG>'C:\Program Files\Splunk\etc\system\local'</STRONG></P> <P>The data I am looking to anonymize is simple<BR /> <EM>testfield: 123</EM> <BR /> - Either by removing it completely or removing the unit. </P> <P>If anyone could help with what exactly should go in the transforms.conf and the props.conf files that would be greatly appreciated.</P> <P>Thank you,</P> Wed, 09 Mar 2016 11:25:11 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238539#M46329 jmaguire1992 2016-03-09T11:25:11Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238540#M46330 <P>This Splunk doc should get you started.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles</A></P> Wed, 09 Mar 2016 18:05:06 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238540#M46330 somesoni2 2016-03-09T18:05:06Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238541#M46331 <P>Assuming you want to anonymize the '123' in your test data, you could use the following configuration:</P> <P>props.conf</P> <PRE><CODE> [your_sourcetype] TRANSFORMS-anonymize = testdata_anonymizer </CODE></PRE> <P>transforms.conf</P> <PRE><CODE> [testdata_anonymizer] REGEX = (?m)^testfield:\s+(.*)$ FORMAT = testfield:\sxxxx DEST_KEY = _raw </CODE></PRE> <P>This will strip all off your event after the 'testfield: ' string, and replace it with 'xxxx'<BR /> If you want to keep some of the data, you have to modify the regex accordingly.</P> Wed, 09 Mar 2016 18:46:04 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238541#M46331 DMohn 2016-03-09T18:46:04Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238542#M46332 <P>Thank you very much! It worked! It removed all of the other data and just left </P> <P>testfield:\sxxxx</P> <P>So I will try figure out some way of modifying the regex to just Anoymize the testfield, but thank you so much for your helpful comment <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 10 Mar 2016 09:26:52 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238542#M46332 jmaguire1992 2016-03-10T09:26:52Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238543#M46333 <P>Hi Sir,<BR /> Are you able to modify the regex to replace only 123 data . not all other fields in the even. IF yes Could you please provide the regex. Thanks in advance for your help . </P> Tue, 12 Sep 2017 15:40:55 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238543#M46333 jaiminsol 2017-09-12T15:40:55Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238544#M46334 <P>You can modify the regex to capture only the next three digits after 'testfield:' this way: <BR /> REGEX = (?m)testfield:\s+(\d{3})<BR /> FORMAT = testfield:\sxxxx</P> <P>This will capture any string 'testfield:' followed by a space and three digits.</P> Tue, 12 Sep 2017 19:55:12 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-Data-in-Splunk-Search/m-p/238544#M46334 DMohn 2017-09-12T19:55:12Z