https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121063#M32548 <P>Hello Splunkers,</P> <P>I am trying to follow the logic from the below URL to anonymize some field data on the fly.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles</A></P> <P>The following Splunk Search query gets all the fields for my output without regex.</P> <P>sourcetype=ourdatasource userPassword | table index host source sourcetype authority user password userPassword</P> <P>The next step for me is to try and anonymize this data. <BR /> Both regular expressions below are verified to work with just the rex fields below.</P> <P>As I write this question I am starting to wonder if I even need a REGEX statement below<BR /> for these fields as they are all recognized fields in Splunk. Can someone confirm that maybe<BR /> I do not need a REGEX statement. Maybe something else? </P> <P>Also I am not sure about the format statement if that is the case.</P> <P>[ourdatasource]<BR /> TRANSFORMS-anonymize = userpass-anonymizer, pass-anonymizer</P> <P>[userpass-anonymizer]<BR /> REGEX = (?i)^(?:[^;]*;){4}(?P[^=]+)<BR /> FORMAT = $1UserPassword=###$2<BR /> DEST_KEY = _raw</P> <P>[pass-anonymizer]<BR /> REGEX = (?i)&amp;(?P[^=]+)<BR /> FORMAT = $1password=########$2<BR /> DEST_KEY = _raw</P> <P>Thanks,<BR /> Daniel</P> Wed, 12 Nov 2014 17:47:38 GMT dmacgillivray 2014-11-12T17:47:38Z https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121063#M32548 <P>Hello Splunkers,</P> <P>I am trying to follow the logic from the below URL to anonymize some field data on the fly.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles</A></P> <P>The following Splunk Search query gets all the fields for my output without regex.</P> <P>sourcetype=ourdatasource userPassword | table index host source sourcetype authority user password userPassword</P> <P>The next step for me is to try and anonymize this data. <BR /> Both regular expressions below are verified to work with just the rex fields below.</P> <P>As I write this question I am starting to wonder if I even need a REGEX statement below<BR /> for these fields as they are all recognized fields in Splunk. Can someone confirm that maybe<BR /> I do not need a REGEX statement. Maybe something else? </P> <P>Also I am not sure about the format statement if that is the case.</P> <P>[ourdatasource]<BR /> TRANSFORMS-anonymize = userpass-anonymizer, pass-anonymizer</P> <P>[userpass-anonymizer]<BR /> REGEX = (?i)^(?:[^;]*;){4}(?P[^=]+)<BR /> FORMAT = $1UserPassword=###$2<BR /> DEST_KEY = _raw</P> <P>[pass-anonymizer]<BR /> REGEX = (?i)&amp;(?P[^=]+)<BR /> FORMAT = $1password=########$2<BR /> DEST_KEY = _raw</P> <P>Thanks,<BR /> Daniel</P> Wed, 12 Nov 2014 17:47:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121063#M32548 dmacgillivray 2014-11-12T17:47:38Z https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121064#M32549 <P>The URL that you pointed to refers to anonymizing the data prior to it being indexed - if you do this, the actual data will never be viewable in Splunk, just the anonymized version. This may or may not be what you want.</P> <P>If it is OK that only the anonymized version of the data is in Splunk, then you must anonymize it prior to it being indexed, which means you do, in fact, need the regexes. The reason is that indexing happens <STRONG>before</STRONG> Splunk tries to break up your data into discoverable fields. Once indexing happens, the data cannot be changed, so it would be searchable in Splunk if it had not been anonymized prior.</P> Wed, 12 Nov 2014 18:16:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121064#M32549 aweitzman 2014-11-12T18:16:39Z https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121065#M32550 <P>Thanks for your comments on this subject. Unfortunately I have tried this, as I have completely removed the data on my test server which is pointing to an app location on /opt/splunk/etc/apps. </P> <P>Then I tried again, reloaded the data and re-queried the data with the same results. </P> <P>I have also moved this entire app over to /opt/splunk/etc/system/local just to see if it was a placement issue.<BR /> That also did not work out. If you can think of something else, let me know. Very interesting point you make about<BR /> the regex part of my question. </P> Wed, 12 Nov 2014 18:42:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121065#M32550 dmacgillivray 2014-11-12T18:42:06Z https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121066#M32551 <P>All I can think of is that there might be an issue with your regex or FORMAT string. The primary thrust of my answer had to do with whether the regexes were necessary or not.</P> <P>In terms of the actual regexes and FORMAT strings, sample raw data will be necessary to help you there.</P> Wed, 12 Nov 2014 19:33:26 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-anonymize-two-recognized-fields-in-Splunk/m-p/121066#M32551 aweitzman 2014-11-12T19:33:26Z