I'm trying to send a vendor some of our log data and I need to scrub the accountname and username fields in the data, but leave everything else untouched.
I edited the /opt/splunk/etc/anonymizer/private-terms.txt to include all of the accountnames and usernames that need to be anonymized. I pipe my search to scrub as follows:
| scrub private-terms=private-terms.txt
The search completes with the following error and no data: The external search command 'scrub' did not return events in descending time order, as expected.
I also tried the method described here:
But that approach scrubbed all of the data, including timestamps and seemed to ignore all of the entries I put in the public-terms.txt.
What is the easiest way to anonymize a couple of fields that have dozens of unique values in each? I know I can do it with the replace command, but that will take forever...
Please add "overridestimeorder = true" in commands.conf
overridestimeorder = true
<your search> | scrub private-terms=