Splunk Search

sed cmd to anonymize data


Hello, I have a source that contains events like these:

"MONEY LEFT: 1.000,00"
"MONEY LEFT: 000,00"
"MONEY LEFT: 350,00"
"MONEY LEFT: 1290,00"
"MONEY LEFT: 50,00"

What I would like to do is to anonymize the amount of money left (1.000,00 000,00 350,00 and so on). The output desired is


I tried with a sed command like these:

SEDCMD-nomoney = s/MONEY\sLEFT:\s(\S+)/MONEY LEFT: XXX,XX/g</

but it does not work all. Maybe the sed command need to know how many characters are going to be substituted? I mean that I cannot use (\S+)

Thanks for help,

Luca Caldiero Consoft Sistemi S.p.A.

Tags (3)
0 Karma

New Member

After adding above statement in props.conf file, how can we check it, whether it can work or not through SplunkWeb.

0 Karma

Path Finder

Try :

SEDCMD-nomoney = s/MONEY LEFT: [\d\.\,]*/MONEY LEFT: XXX,XX/g
0 Karma


The SED expression looks good to me. Can you post the whole stanza from your props.conf? Are you sure the sourcetype/source matches?

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...