Append data to logs matching regex

jazzijeff · ‎10-06-2021

Hi i'm looking to use a heavy forwarder to append a string to specific log messages. Im following the guide here https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata (specifically the "Anonymize data with a regular expression transform" part)which only seems to mask data, i dont want to alter the log entry as such but rather add something like "<Review Required>" to the end of the log that matches a specific regex.

Can this be done using the heavy forwarder and transforms.conf?

gcusello · ‎10-06-2021

Hi @jazzijeff,

yes, its possible.

You can do it on Heavy Forwarders (when present) or on indexers (without HFs).

The way to do this are (as described at https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata#Anonymize_data_with_a_regular_... :

the SEDCMD command in props.conf,
props.conf and transforms.conf.

It's the same thing that anonymize data, because you have to do a transformation on you data: in this case you have to transform the _row log that matches a regex in the same log adding the string "<Review Required>" , something like this in props.conf:

[your_sourcetype]
SEDCMD-add_string = s/.*your_string.*/.*your_string.*\<Review Required\>/g

Ciao.

Giuseppe

Append data to logs matching regex

heavy forwarder

indexer

transforms.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!