Can I replace a string in the logs on the host its...

kimberlytrayson · ‎12-21-2018

So,

I have been using Splunk out of the box for a while, but now I would like to do some data massaging before I push the logs to the Splunk server. Let's say I have a string "12345678" in the log /var/log/apache.log, is it possible to replace it with "CCNUM" while forwarding itself?

In other words, can the string manipulation be done on the Apache web server itself and not on the indexer/splunk server?

Thanks

harsmarvania57 · ‎12-21-2018

Hi,

You can anonymize data on full splunk instance (Indexer/Heavy Forwarder), not on Universal Forwarder. Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.2/Data/Anonymizedata , SEDCMD- option is good and easy to implement.

I am not sure whether you can anonymize data on Apache server itself.

kimberlytrayson · ‎12-21-2018

Thanks for the information. Yes, I've seen the Anonymizedata, but that's not what I'm looking for. I don't want the sensitive data to even leave the machine. Let me know if you come across any such solution.

egt · ‎12-21-2018

I think you can do this o the forwarder, but im not sure.

Can I replace a string in the logs on the host itself?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation