Can I replace a string in the logs on the host its...

kimberlytrayson · ‎12-21-2018

So,

I have been using Splunk out of the box for a while, but now I would like to do some data massaging before I push the logs to the Splunk server. Let's say I have a string "12345678" in the log /var/log/apache.log, is it possible to replace it with "CCNUM" while forwarding itself?

In other words, can the string manipulation be done on the Apache web server itself and not on the indexer/splunk server?

Thanks

harsmarvania57 · ‎12-21-2018

Hi,

You can anonymize data on full splunk instance (Indexer/Heavy Forwarder), not on Universal Forwarder. Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.2/Data/Anonymizedata , SEDCMD- option is good and easy to implement.

I am not sure whether you can anonymize data on Apache server itself.

kimberlytrayson · ‎12-21-2018

Thanks for the information. Yes, I've seen the Anonymizedata, but that's not what I'm looking for. I don't want the sensitive data to even leave the machine. Let me know if you come across any such solution.

egt · ‎12-21-2018

I think you can do this o the forwarder, but im not sure.

Can I replace a string in the logs on the host itself?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!