<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Problem with display anonymised values in splunk with SEDCMD : in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409478#M72600</link>
    <description>&lt;P&gt;MV_ADD is only valid for search time extractions.&lt;/P&gt;

&lt;P&gt;There is something in the docs about using $0 at the start of the FORMAT string: &lt;CODE&gt;FORMAT = $0 NUMR_TICK::NUMRERIC1$3$2&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;But I don't fully understand what effect that would have (but perhaps worth a try). I've never done this myself, so you may need to wait for someone else to come by this question to help you further.&lt;/P&gt;</description>
    <pubDate>Thu, 22 Nov 2018 15:57:41 GMT</pubDate>
    <dc:creator>FrankVl</dc:creator>
    <dc:date>2018-11-22T15:57:41Z</dc:date>
    <item>
      <title>Problem with display anonymised values in splunk with SEDCMD :</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409475#M72597</link>
      <description>&lt;P&gt;Hello community,&lt;/P&gt;

&lt;P&gt;I am trying to anonymise Data in Splunk, For that purpose I am using SEDCMD in splunk , The transformation applies perfectly with the _raw field ,but the fields are not modified accordingly.Please note that I do use csv extraction. Can U help ? &lt;BR /&gt;
In my props.conf .Here's my command : &lt;/P&gt;

&lt;P&gt;SEDCMD-NUMR_TICK = s/(SAV-xDSL)([0-9]{5})([0-9]{5})/NUMR1\3\2/g&lt;/P&gt;

&lt;P&gt;My output is "which is correct" : &lt;/P&gt;

&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/6161iA4C72836B710250D/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;But when  showing events I have my data shown without being anonymised : &lt;/P&gt;

&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/6162i3D4D5162C4ACD80A/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 22 Nov 2018 11:28:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409475#M72597</guid>
      <dc:creator>virtuosoo</dc:creator>
      <dc:date>2018-11-22T11:28:01Z</dc:date>
    </item>
    <item>
      <title>Re: Problem with display anonymised values in splunk with SEDCMD :</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409476#M72598</link>
      <description>&lt;P&gt;Sounds like the indexed extractions take place before SEDCMD modifies the raw event. So you would need to write a TRANSFORMS command in props/transforms to perform the same translation on the field. If I'm not mistaken, that should work as follows.&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TRANSFORMS-NUMR_TICK = NUMR_TICK
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[NUMR_TICK]
SOURCE_KEY = field:NUMR_TICK
REGEX = (SAV-xDSL)([0-9]{5})([0-9]{5})
FORMAT = NUMR_TICK::NUMR1$3$2
WRITE_META = true
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 22 Nov 2018 11:56:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409476#M72598</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2018-11-22T11:56:03Z</dc:date>
    </item>
    <item>
      <title>Re: Problem with display anonymised values in splunk with SEDCMD :</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409477#M72599</link>
      <description>&lt;P&gt;Hello FrankVl ,&lt;/P&gt;

&lt;P&gt;Thank you for your reply , I have followed your indications, It has solved my problem partially but not totally because now I have an output with multiple values NUMR_TICK :&lt;/P&gt;

&lt;P&gt;NUMR_TICK             SAV-xDSL0003460059&lt;BR /&gt;&lt;BR /&gt;
                                 NUMR16005900034&lt;/P&gt;

&lt;P&gt;This is my new configuration : &lt;/P&gt;

&lt;P&gt;[NUMR_TICK]&lt;BR /&gt;
FORMAT = NUMR_TICK::NUMRERIC1$3$2&lt;BR /&gt;
MV_ADD = 0&lt;BR /&gt;
REGEX = (SAV-xDSL)([0-9]{5})([0-9]{5})&lt;BR /&gt;
SOURCE_KEY = field:NUMR_TICK&lt;BR /&gt;
WRITE_META = true&lt;/P&gt;

&lt;P&gt;I have added MV_ADD to avoid that behavior.But I've got no results.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 22:10:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409477#M72599</guid>
      <dc:creator>virtuosoo</dc:creator>
      <dc:date>2020-09-29T22:10:57Z</dc:date>
    </item>
    <item>
      <title>Re: Problem with display anonymised values in splunk with SEDCMD :</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409478#M72600</link>
      <description>&lt;P&gt;MV_ADD is only valid for search time extractions.&lt;/P&gt;

&lt;P&gt;There is something in the docs about using $0 at the start of the FORMAT string: &lt;CODE&gt;FORMAT = $0 NUMR_TICK::NUMRERIC1$3$2&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;But I don't fully understand what effect that would have (but perhaps worth a try). I've never done this myself, so you may need to wait for someone else to come by this question to help you further.&lt;/P&gt;</description>
      <pubDate>Thu, 22 Nov 2018 15:57:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Problem-with-display-anonymised-values-in-splunk-with-SEDCMD/m-p/409478#M72600</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2018-11-22T15:57:41Z</dc:date>
    </item>
  </channel>
</rss>

