Im trying to get a way to have SED (via search)  append a string to the raw log in the results window if a condition is met anywhere in the raw log file - in the example below if i find any series of six numbers index=* | rex mode=sed "s/(?<myTest>[0-9]{1,6})/\2<myTestFound>/g   What i would like is the following -and note the "<myTestFound>" at the end <MyData>"This is my raw log with 123456 present and 987654 also present</MyData><myTestFound>   But all i have been able to do so far is  <MyData>"This is my raw log with 123456<myTestFound> present and 987654<myTestFound> also present</MyData>   Can anyone give me some assistance in getting the first option going? thanks ... View more

Hi i'm looking to use a heavy forwarder to append a string to specific log messages. Im following the guide here https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata (specifically the "Anonymize data with a regular expression transform" part)which only seems to mask data, i dont want to alter the log entry as such but rather add something like "<Review Required>" to the end of the log that matches a specific regex. Can this be done using the heavy forwarder and transforms.conf? ... View more