Re: Can I replace a string in the logs on the host...

kimberlytrayson · ‎12-21-2018

So,

I have been using Splunk out of the box for a while, but now I would like to do some data massaging before I push the logs to the Splunk server. Let's say I have a string "12345678" in the log /var/log/apache.log, is it possible to replace it with "CCNUM" while forwarding itself?

In other words, can the string manipulation be done on the Apache web server itself and not on the indexer/splunk server?

Thanks

harsmarvania57 · ‎12-21-2018

Hi,

You can anonymize data on full splunk instance (Indexer/Heavy Forwarder), not on Universal Forwarder. Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.2/Data/Anonymizedata , SEDCMD- option is good and easy to implement.

I am not sure whether you can anonymize data on Apache server itself.

kimberlytrayson · ‎12-21-2018

Thanks for the information. Yes, I've seen the Anonymizedata, but that's not what I'm looking for. I don't want the sensitive data to even leave the machine. Let me know if you come across any such solution.

egt · ‎12-21-2018

I think you can do this o the forwarder, but im not sure.

Can I replace a string in the logs on the host itself?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation