Referring to instruction of anonymization in page bellow:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles
During indexing, instead of replacing a field value with literals, I would like to apply a function on it (for example encrypt it)
[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw
For example instead of replacing SessionId=3A1785URH117BEA
with SessionId=########
, I would like to replace it with a runtime value result of applying a function (like encryption function ).
This way I'll have a mechanism to get the original values if needed.
Has anybody come up with a solution for that.
Thanks