Hello,

I have the following problem with the anonymisation of a source.

The source of data is::

\\summer.de\group\Anwendungen\Splunk\starbucks\*

their are following logs:

123456.log , 342618.log usw.

example :

\\summer.de\group\Anwendungen\Splunk\starbucks\123456.log

Inputs.Conf (UF):

[monitor://\\summer.de\group\Anwendungen\Splunk\starbucks\*]
sourcetype = log_starbucks_anonymized
index = starbucks

Indexes.conf (IDX):

[starbucks]
homePath = $SPLUNK_DB/starbucks/db
coldPath = $SPLUNK_DB/starbucks/colddb
thawedPath = $SPLUNK_DB/starbucks/thaweddb

Props.conf (IDX):

[log_starbucks_anonymized]
MAX_EVENTS = 2000
MAX_TIMESTAMP_LOOKAHEAD = 50
NO_BINARY_CHECK = 1
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TRUNCATE = 50000
pulldown_type = 1
BREAK_ONLY_BEFORE = .+.{2}:.{2}:.{2},.{3}
TRANSFORMS-anonymize = path_anonymizer_starbucks

Transforms.conf (IDX):

[path_anonymizer_starbucks]
DEST_KEY = MetaData:Source
FORMAT = $1XXXXXX$2
REGEX = (\\\\\w+\.\w+\\\w+\\\w+\\\w+\\\w+\\)\d{1,6}(\.\w+)
SOURCE_KEY = MetaData:Source

Target:

the source in Splunk currently looks like this:

\\summer.de\group\Anwendungen\Splunk\starbucks\123456.log

But it should look like this:

\\summer.de\group\Anwendungen\Splunk\starbucks\XXXXXX.log

Question:

What have I overlooked?

The apps and the Stanzas are in the right places and I can't find any "wrong" entries with btool.

After changing the stanza on the cluster master, the change is applied using "apply-cluster- bundle" and is also displayed on the indexers in the cluster.

I just can't find the error.

I have already tried various REGEXes but unfortunately it does not bring about any change.

thank you for your help.