Hi i'm looking to use a heavy forwarder to append a string to specific log messages. Im following the guide here https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata (specifically the "Anonymize data with a regular expression transform" part)which only seems to mask data, i dont want to alter the log entry as such but rather add something like "<Review Required>" to the end of the log that matches a specific regex.
Can this be done using the heavy forwarder and transforms.conf?
Hi @jazzijeff,
yes, its possible.
You can do it on Heavy Forwarders (when present) or on indexers (without HFs).
The way to do this are (as described at https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata#Anonymize_data_with_a_regular_... :
It's the same thing that anonymize data, because you have to do a transformation on you data: in this case you have to transform the _row log that matches a regex in the same log adding the string "<Review Required>" , something like this in props.conf:
[your_sourcetype]
SEDCMD-add_string = s/.*your_string.*/.*your_string.*\<Review Required\>/g
Ciao.
Giuseppe