We are trying to mask some data from winhostmon using SEDCMD. The sample data sourcetype=WinHostMon source=process : Type=Process Name="wfcrun32.exe" ProcessId=1 CommandLine="C:\PROGRAM FILES (X86)\Test\test.EXE" /h0 "C:\Program Files (x86)\Test2\test2.test" /username:"Test" /domain:AD /password:"test" StartTime="20170516135737.278912+120" Host="test-test2-test3" Path="C:\PROGRAM FILES (X86)\Test\test.EXE" Props: [WinHostMon] SEDCMD-anonymize=s/\/password.*$/\/password:XXXXX/g The issue is that it is not masking the data, i have tried sourcetype,source and host on the indexer but still its not masking. If i upload a test file with data using the add data option i am able to mask the data using the SEDCMD, same goes for a file with a static sourcetype. My guess is that the source/sourcetype is not correct because of the way Splunk identifies the data at indexing/parsing. Does anyone have an idea how i can mask the data at indexing time? The data is being send from a universal forwarder to our indexers so it is not passing through a heavy forwarder. ... View more

On our search head cluster we are running into the following issue. When searching using the time picker everything works as expected, when searching using earliest/latest in the search we are running into issues. If the time range picker is set to last 60 minutes and earliest in the search is earliest=-15m it works. If i set earliest=-1d@d it only shows data from the last 60 minutes. If i try the same thing on a fresh install or a non search head cluster member i am getting the notification: Your timerange was substituted based on your search string. And i am getting the correct timeframe/data. Does anyone have an idea what kind of setting/conf i should be looking at? We are running splunk 7.0.3 ... View more