Hi nandha_2,
No, if you need to elaborate your logs before indexing, you have to run a pre-parsing script outside Splunk and index the output file.
We had to encrypt a field in a log file using a key, because our customer wanted to archive this data in encrypted format, but they also wanted the possibility to recreate the original value using the encryption key.
To do this, we used a script that parsed the log file and after we indexed it.
To do this is easy if you have a syslog data flow or a file on the Splunk server, but less easy if you receive logs via Forwarder, because, you have to distribute the external script in every Forwarder.
In addition, you lose the real time monitoring because there is always a delay between the log arrive and the indexing time.
We asked to Splunk to insert the possibility to run a script before indexing, but not yet.
Bye.
Giuseppe
... View more