sed cmd to anonymize data

cafissimo · ‎12-17-2010

Hello, I have a source that contains events like these:

"MONEY LEFT: 1.000,00"
"MONEY LEFT: 000,00"
"MONEY LEFT: 350,00"
"MONEY LEFT: 1290,00"
"MONEY LEFT: 50,00"

What I would like to do is to anonymize the amount of money left (1.000,00 000,00 350,00 and so on). The output desired is

"MONEY LEFT: XXX,XX"

I tried with a sed command like these:

SEDCMD-nomoney = s/MONEY\sLEFT:\s(\S+)/MONEY LEFT: XXX,XX/g</

but it does not work all. Maybe the sed command need to know how many characters are going to be substituted? I mean that I cannot use (\S+)

Thanks for help,

Luca Caldiero Consoft Sistemi S.p.A.

thiru53 · ‎12-20-2011

Hi,
After adding above statement in props.conf file, how can we check it, whether it can work or not through SplunkWeb.

TheGU · ‎12-19-2010

Try :

SEDCMD-nomoney = s/MONEY LEFT: [\d\.\,]*/MONEY LEFT: XXX,XX/g

ziegfried · ‎12-17-2010

The SED expression looks good to me. Can you post the whole stanza from your props.conf? Are you sure the sourcetype/source matches?

Are you a member of the Splunk Community?