1) When to use SEDCMD?
2) When to use transforms and props for data masking?
3) Which is better?
Hi patricianaguit,
while SEDCMD
and the props/transforms can do the same, SEDCMD
is for index time only http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf (search for SEDCMD) and will be applied to your _raw
events.
The props/transforms approach can do the same as SEDCMD
in this regard, but it can also just be used for search time. That said, it will can not only change _raw
events but it can also just change the search result without changing _raw
.
To answer which is better; it all depends on your use case 😉
Hope this makes sense ...
cheers, MuS
Hi patricianaguit,
while SEDCMD
and the props/transforms can do the same, SEDCMD
is for index time only http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf (search for SEDCMD) and will be applied to your _raw
events.
The props/transforms approach can do the same as SEDCMD
in this regard, but it can also just be used for search time. That said, it will can not only change _raw
events but it can also just change the search result without changing _raw
.
To answer which is better; it all depends on your use case 😉
Hope this makes sense ...
cheers, MuS
Hey@patricianaguit,
You can refer this link for better understanding:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
Let me know if this helps!!!