Getting Data In

anonymize before indexed_extractions

Communicator

Hi,

I have a CSV input and want to anonymize data, but with SEDCMD it only works for _raw field. The fields created from indexed_extractions are not anonymized.
The fields of the CSV vary and the pattern I need to anonymize can occur in multiple fields.

Does anybody have a hint for me?

Best regards,
Thomas

0 Karma

SplunkTrust
SplunkTrust

My colleague Johannes @jeffland had a similar issue, and provides a working solution here: https://answers.splunk.com/answers/312173/how-can-i-anonymize-fields-of-data-that-has-underg.html
The approach of modifying _meta directly should help you with looking for a pattern in varying fields.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!