Splunk Search

Can I replace a string in the logs on the host itself?

Path Finder


I have been using Splunk out of the box for a while, but now I would like to do some data massaging before I push the logs to the Splunk server. Let's say I have a string "12345678" in the log /var/log/apache.log, is it possible to replace it with "CCNUM" while forwarding itself?

In other words, can the string manipulation be done on the Apache web server itself and not on the indexer/splunk server?


0 Karma



You can anonymize data on full splunk instance (Indexer/Heavy Forwarder), not on Universal Forwarder. Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.2/Data/Anonymizedata , SEDCMD- option is good and easy to implement.

I am not sure whether you can anonymize data on Apache server itself.

Path Finder

Thanks for the information. Yes, I've seen the Anonymizedata, but that's not what I'm looking for. I don't want the sensitive data to even leave the machine. Let me know if you come across any such solution.

0 Karma

New Member

I think you can do this o the forwarder, but im not sure.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...