Hello experts, I'm trying to obfuscate the UserName and ComputerName from my events before indexation, while keeping the possibility of using the data to group from a common source. Configuration: data are pushed by a UniversalForwarder (no transform options) to a SplunkCloud instance (limited setup). Example: I have this: time1|UserName=user1|ComputerName=FR1234|EventStart time2|UserName=user1|ComputerName=FR1234|EventEnd time3|UserName=user2|ComputerName=US4321|EventStart time4|UserName=user2|ComputerName=US4321|EventEnd time5|UserName=user1|ComputerName=US4321|EventStart time6|UserName=user1|ComputerName=US4321|EventEnd And want something like this: time1|UserName=#####|ComputerName=FR#|GeneratedSessionID=eifiweuh|EventStart time2|UserName=#####|ComputerName=FR#|GeneratedSessionID=eifiweuh|EventEnd time3|UserName=#####|ComputerName=US#|GeneratedSessionID=fwefwe|EventStart time4|UserName=#####|ComputerName=US#|GeneratedSessionID=fwefwe|EventEnd time5|UserName=#####|ComputerName=US#|GeneratedSessionID=hkukuyy|EventStart time6|UserName=#####|ComputerName=US#|GeneratedSessionID=hkukuyy|EventEnd Where GeneratedSessionID=function(user1,FR1234,encryptKey) or something similar. Meaning that the same couple computer+user will always create the same GeneratedSessionID I'm looking at adding a SECCMD setting on the Advanced tab of my SourceType. I see how to anonymize the UserName and ComputerName, but not how to add a new field based on the others. Any advise in that direction would be welcome, or any solution that will match with the restriction of my configuration. Thanks in advance Florent
... View more