Getting Data In
Highlighted

Scrub command failing

Builder

I'm trying to send a vendor some of our log data and I need to scrub the accountname and username fields in the data, but leave everything else untouched.

I edited the /opt/splunk/etc/anonymizer/private-terms.txt to include all of the accountnames and usernames that need to be anonymized. I pipe my search to scrub as follows:

| scrub private-terms=private-terms.txt

The search completes with the following error and no data: The external search command 'scrub' did not return events in descending time order, as expected.

I also tried the method described here:

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/AnonymizedatasamplestosendtoSuppo...

But that approach scrubbed all of the data, including timestamps and seemed to ignore all of the entries I put in the public-terms.txt.

What is the easiest way to anonymize a couple of fields that have dozens of unique values in each? I know I can do it with the replace command, but that will take forever...

Thx.

Craig

Tags (1)
0 Karma
Highlighted

Re: Scrub command failing

Communicator

Bump. I am getting the same error and would like to know if anyone has found a resolution to this problem.

0 Karma
Highlighted

Re: Scrub command failing

Splunk Employee
Splunk Employee

Please add "overridestimeorder = true" in commands.conf


- etc/apps/search/local/commands.conf
[scrub]
overrides
timeorder = true

Restarting Splunk is not required for this change.

<your search> | scrub private-terms=

0 Karma
Highlighted

Re: Scrub command failing

Splunk Employee
Splunk Employee

We'll ask our doc team to add this information

0 Karma