I'm looking to forward only the first portion of a log file event to the indexer to be indexed. The remaining data I cannot send due to possible PCI reasons. I have installed the full splunk instance to use the heavy forwarder and have tried updating props.conf with an EXTRACT statement to pull out what I want forwarded. Portion below:
SEDCMD-<name> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit card or social
security numbers. For more information, search the online documentation for "anonymize
TRUNCATE =n (also in props.conf) may be an option.