SEDCMD a field

JDukeSplunk — Thu, 11 Apr 2019 18:35:56 GMT

I'm hoping what I want to do exists.

I've reviewed props.conf.spec and https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/Anonymizedata. I can't find where the documentation says that it is possible to execute a SEDCMD in props.conf against a specific field. We have a csv file that the forwarder assigns fields to from the csv header using it's local props.conf for the sourcetype.

Forwarders props.conf, which is standard csv boilerplate.

[hdfax:prod]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

So those fields are presented to the indexer from the forwarder. If I wanted to anonymize a field named "MemberID" could I do something like this in the indexers props.conf?

[hdfax:prod]
SEDCMD-MEMID <MemberID> = s/\d+/XX-REDACTED-XX/g

Or will I have to regex _raw on the indexers /system/local/props.conf?

SEDCMD-MEMID = s/SOME_LONG_REGEX/XX-REDACTED-XX/g

This would be fine if it were not CSV or the string I wanted to anonymise had some precursor to it like MemberID=1111111. As it stands because it is csv all that exists is a structure with commas separating them.

Ugh..
JD

Re: SEDCMD a field

JDukeSplunk — Thu, 18 Apr 2019 19:29:24 GMT

Transforms.conf must be used for the extracted field, and SEDCMD for _raw.

See here for details. Waaay at the bottom.

https://answers.splunk.com/answers/739964/need-sedcmd-help.html

topic Re: SEDCMD a field in Getting Data In

SEDCMD a field

Re: SEDCMD a field