Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Scrub command failing

responsys_cm
Builder
‎11-13-2012 11:58 AM

I'm trying to send a vendor some of our log data and I need to scrub the accountname and username fields in the data, but leave everything else untouched.

I edited the /opt/splunk/etc/anonymizer/private-terms.txt to include all of the accountnames and usernames that need to be anonymized. I pipe my search to scrub as follows:

| scrub private-terms=private-terms.txt

The search completes with the following error and no data: The external search command 'scrub' did not return events in descending time order, as expected.

I also tried the method described here:

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/AnonymizedatasamplestosendtoSuppo...

But that approach scrubbed all of the data, including timestamps and seemed to ignore all of the entries I put in the public-terms.txt.

What is the easiest way to anonymize a couple of fields that have dozens of unique values in each? I know I can do it with the replace command, but that will take forever...

Thx.

Craig

Tags (1)
0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎08-23-2013 09:57 AM

Please add "overrides_timeorder = true" in commands.conf



- etc/apps/search/local/commands.conf 

[scrub] 

overrides_timeorder = true

Restarting Splunk is not required for this change. 


<your search> | scrub private-terms=

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎08-23-2013 09:59 AM

We'll ask our doc team to add this information

0 Karma
Reply

BenjaminWyatt
Communicator
‎05-15-2013 07:29 AM

Bump. I am getting the same error and would like to know if anyone has found a resolution to this problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...