Hi,
I'm wondering if there is a way to prevent a sensitive key-value pair that exists in cs_Cookie from appearing in Splunk. I have tried using SEDCMD on the forwarder, and it does change the _raw data, but the indexed value of cs_Cookie still contains the original data. For example:
IIS log
.. cs_Cookie ..
.. foo=bar;hide=me ..
props.conf
SEDCMD-cookie-cleaner = s/hide=\w+/hide=XXXX/g
As expected, this changes the _raw data to:
.. foo=bar;hide=XXXX ..
But, when I expand an event:
cs_Cookie="foo=bar;hide=me"
How is the original value making it to the indexer, and how can I get rid of it?
Thanks!
... View more