Re: sed cmd to anonymize data - Splunk Community

Splunk Search

Hello, I have a source that contains events like these:

"MONEY LEFT: 1.000,00"
"MONEY LEFT: 000,00"
"MONEY LEFT: 350,00"
"MONEY LEFT: 1290,00"
"MONEY LEFT: 50,00"

What I would like to do is to anonymize the amount of money left (1.000,00 000,00 350,00 and so on). The output desired is

"MONEY LEFT: XXX,XX"

I tried with a sed command like these:

SEDCMD-nomoney = s/MONEY\sLEFT:\s(\S+)/MONEY LEFT: XXX,XX/g</

but it does not work all. Maybe the sed command need to know how many characters are going to be substituted? I mean that I cannot use (\S+)

Thanks for help,

Luca Caldiero Consoft Sistemi S.p.A.

Hi,
After adding above statement in props.conf file, how can we check it, whether it can work or not through SplunkWeb.

Try :

SEDCMD-nomoney = s/MONEY LEFT: [\d\.\,]*/MONEY LEFT: XXX,XX/g

The SED expression looks good to me. Can you post the whole stanza from your props.conf? Are you sure the sourcetype/source matches?

Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...