https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273171#M82318 <P>Does no one have a solution or guidance to this? Help is very much appreciated!</P> Mon, 26 Oct 2015 13:25:03 GMT joarsvensson 2015-10-26T13:25:03Z https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273170#M82317 <P>I want to do an automatic lookup from a CSV file on index time, and add new fields to the event. I got this working, but what if I want to anonymize the field used as lookup key afterwards?</P> <P>Using this won't work since it seem to happen prior to the lookup runs:</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[default] SEDCMD-anonymize = s/username=(......)/username=XXXXXX/g </CODE></PRE> <P>Help appreciated!</P> Thu, 15 Oct 2015 12:21:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273170#M82317 joarsvensson 2015-10-15T12:21:38Z https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273171#M82318 <P>Does no one have a solution or guidance to this? Help is very much appreciated!</P> Mon, 26 Oct 2015 13:25:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273171#M82318 joarsvensson 2015-10-26T13:25:03Z https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273172#M82319 <P>It cannot be done without augmenting the data at Index-Time to include the lookup details. Lookups happen at Search-Time ALWAYS.</P> Mon, 26 Oct 2015 15:36:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273172#M82319 woodcock 2015-10-26T15:36:20Z https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273173#M82320 <P>Thank you for clarifying! So I need to populate the data prior to indexing, in order for this to work.</P> Fri, 30 Oct 2015 12:12:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273173#M82320 joarsvensson 2015-10-30T12:12:54Z https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273174#M82321 <P>Yes, think of it this way: any field created at <CODE>Index-Time</CODE> must be based off of a continuous string inside of the event itself (e.g. field <CODE>X</CODE> starts as position <CODE>Y</CODE> and ends at position <CODE>Z</CODE>) or in the meta-data for the event (e.g. <CODE>source</CODE>). This is how all <CODE>Index-Time</CODE> fields are defined and there is not (and probably never will be) any exception. Once I realized this, my thinking about fields became much more clear.</P> Fri, 30 Oct 2015 16:02:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273174#M82321 woodcock 2015-10-30T16:02:06Z https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273175#M82322 <P>Hope Splunk enabled a similar option for "tokenisation" of certain fields at index time (eg credit card numbers for apple pay)</P> Sat, 31 Oct 2015 22:31:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-SEDCMD-to-anonymize-a-field-after-automatic-lookup/m-p/273175#M82322 koshyk 2015-10-31T22:31:16Z