Getting Data In

How to anonymize part of event

Starlette
Contributor

If I have data and I want to anonymize a part of an event (extracted field, let's say user),
I want to keep the original events in indexA and the anonymized events in indexB.

  • Does this affect my license? (doubled)
  • And if so, is it possible to route only the anonymized part to indexB and build searches for user and orig event in a way?
Tags (1)

Starlette
Contributor

Oke just wanted to make sure,,,( I hoped that you could also extracted a unique id and use this with a specific search/transaction)
so lets say that I cut the user part, and only index that one to indexB, and reconstruct this with searches over indexa en indexb on _time and "someid"

0 Karma

hazekamp
Builder

Starlette,

Collecting both original and anonymized events in separate index would effectively double licensing for those particular events. There is nothing I am aware of that would let you index only anonymized parts and reconstruct at search time.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...