I'm hoping what I want to do exists.
I've reviewed props.conf.spec and https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/Anonymizedata. I can't find where the documentation says that it is possible to execute a SEDCMD in props.conf against a specific field. We have a csv file that the forwarder assigns fields to from the csv header using it's local props.conf for the sourcetype.
Forwarders props.conf, which is standard csv boilerplate.
[hdfax:prod]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
So those fields are presented to the indexer from the forwarder. If I wanted to anonymize a field named "MemberID" could I do something like this in the indexers props.conf?
[hdfax:prod]
SEDCMD-MEMID <MemberID> = s/\d+/XX-REDACTED-XX/g
Or will I have to regex _raw on the indexers /system/local/props.conf?
SEDCMD-MEMID = s/SOME_LONG_REGEX/XX-REDACTED-XX/g
This would be fine if it were not CSV or the string I wanted to anonymise had some precursor to it like MemberID=1111111. As it stands because it is csv all that exists is a structure with commas separating them.
Ugh..
JD
Transforms.conf must be used for the extracted field, and SEDCMD for _raw.
See here for details. Waaay at the bottom.
https://answers.splunk.com/answers/739964/need-sedcmd-help.html
Transforms.conf must be used for the extracted field, and SEDCMD for _raw.
See here for details. Waaay at the bottom.
https://answers.splunk.com/answers/739964/need-sedcmd-help.html