I'm hoping what I want to do exists.
I've reviewed props.conf.spec and https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/Anonymizedata. I can't find where the documentation says that it is possible to execute a SEDCMD in props.conf against a specific field. We have a csv file that the forwarder assigns fields to from the csv header using it's local props.conf for the sourcetype.
Forwarders props.conf, which is standard csv boilerplate.
[hdfax:prod] DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured description = Comma-separated value format. Set header and other settings in "Delimited Settings" disabled = false pulldown_type = true
So those fields are presented to the indexer from the forwarder. If I wanted to anonymize a field named "MemberID" could I do something like this in the indexers props.conf?
[hdfax:prod] SEDCMD-MEMID <MemberID> = s/\d+/XX-REDACTED-XX/g
Or will I have to regex _raw on the indexers /system/local/props.conf?
SEDCMD-MEMID = s/SOME_LONG_REGEX/XX-REDACTED-XX/g
This would be fine if it were not CSV or the string I wanted to anonymise had some precursor to it like MemberID=1111111. As it stands because it is csv all that exists is a structure with commas separating them.