I found out that in one of my web logs that Splunk's been eating, there's data that I need to mask out. So, I've got two problems to solve:
(a) Removing the sensitive data (though not the WHOLE event) from already-indexed data, and
(b) Making it so newly-indexed data has this same data masked.
What's my best way to approach this? It's data like this that I'm trying to mask:
173.103.16.2 - - [10/Jun/2011:16:09:27 -0500] "GET /admin/load-scripts.jsp?c=1&failedPassword=FAILEDPASSWORDIWANTTOMASK&otheroptions=3
... View more