I'm wondering, is it possible to mask / anonymize data at index time for the _internal index. I have an Alert Action configured with a webhook, and I'm looking to mask the URI of the request in internal logs. I'm able to mask the value at search time with this SPL. index=_internal action=webhook | rex field=url mode=sed "s/https?:\/\/www.domin.com\/(.*)/https:\/\/www.domain.com\/XXXX-XXXX-XXXX/g" | table url I tried to port this configuration to /opt/splunk/etc/system/local/ by creating a props.conf with the following. [sourcetype::_internal] SEDCMD-url = s/https?:\/\/www.domain.com\/(.*)/https:\/\/www.domain.com\/XXXX-XXXX-XXXX/g AND [splunkd] SEDCMD-url = s/https?:\/\/www.domain.com\/(.*)/https:\/\/www.domain.com\/XXXX-XXXX-XXXX/g Doesn't work. This is a standalone instance of Splunk running on a ec2 instance. So my question is, is it even possible to filter splunk generated logs? Should I funnel these to transforms.conf and do it there? Is that possible? Any help or insight would be greatly appreciated
... View more
