Splunk Search

sed cmd to anonymize data

cafissimo
Communicator

Hello, I have a source that contains events like these:

"MONEY LEFT: 1.000,00"
"MONEY LEFT: 000,00"
"MONEY LEFT: 350,00"
"MONEY LEFT: 1290,00"
"MONEY LEFT: 50,00"

What I would like to do is to anonymize the amount of money left (1.000,00 000,00 350,00 and so on). The output desired is

"MONEY LEFT: XXX,XX"

I tried with a sed command like these:

SEDCMD-nomoney = s/MONEY\sLEFT:\s(\S+)/MONEY LEFT: XXX,XX/g</

but it does not work all. Maybe the sed command need to know how many characters are going to be substituted? I mean that I cannot use (\S+)

Thanks for help,

Luca Caldiero Consoft Sistemi S.p.A.

Tags (3)
0 Karma

thiru53
New Member

Hi,
After adding above statement in props.conf file, how can we check it, whether it can work or not through SplunkWeb.

0 Karma

TheGU
Path Finder

Try :

SEDCMD-nomoney = s/MONEY LEFT: [\d\.\,]*/MONEY LEFT: XXX,XX/g
0 Karma

ziegfried
Influencer

The SED expression looks good to me. Can you post the whole stanza from your props.conf? Are you sure the sourcetype/source matches?

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...