Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Append data to logs matching regex

jazzijeff
New Member
‎10-06-2021 02:30 AM

Hi i'm looking to use a heavy forwarder to append a string to specific log messages. Im following the guide here https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata (specifically the "Anonymize data with a regular expression transform" part)which only seems to mask data, i dont want to alter the log entry as such but rather add something like "<Review Required>" to the end of the log that matches a specific regex.

Can this be done using the heavy forwarder and transforms.conf?

Labels (3)
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-06-2021 02:42 AM

Hi @jazzijeff,

yes, its possible.

You can do it on Heavy Forwarders (when present) or on indexers (without HFs).

The way to do this are (as described at https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata#Anonymize_data_with_a_regular_... :

  • the SEDCMD command in props.conf,
  • props.conf and transforms.conf.

It's the same thing that anonymize data, because you have to do a transformation on you data: in this case you have to transform the _row log that matches a regex in the same log adding the string "<Review Required>" , something like this in props.conf:

[your_sourcetype]
SEDCMD-add_string = s/.*your_string.*/.*your_string.*\<Review Required\>/g

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...

Data Management Digest – January 2026

Welcome to the January 2026 edition of Data Management Digest! Welcome to the January 2026 edition of Data ...