Splunk Search

Can I replace a string in the logs on the host itself?

kimberlytrayson
Path Finder

So,

I have been using Splunk out of the box for a while, but now I would like to do some data massaging before I push the logs to the Splunk server. Let's say I have a string "12345678" in the log /var/log/apache.log, is it possible to replace it with "CCNUM" while forwarding itself?

In other words, can the string manipulation be done on the Apache web server itself and not on the indexer/splunk server?

Thanks

0 Karma

harsmarvania57
Ultra Champion

Hi,

You can anonymize data on full splunk instance (Indexer/Heavy Forwarder), not on Universal Forwarder. Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.2/Data/Anonymizedata , SEDCMD- option is good and easy to implement.

I am not sure whether you can anonymize data on Apache server itself.

kimberlytrayson
Path Finder

Thanks for the information. Yes, I've seen the Anonymizedata, but that's not what I'm looking for. I don't want the sensitive data to even leave the machine. Let me know if you come across any such solution.

0 Karma

egt
New Member

I think you can do this o the forwarder, but im not sure.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...