We have some logs that have some sensitive data that I would like to replace with ********
. Is it possible to set up a regex to check a sourcetype/text match and do this?
I know it's possible to just drop the line, but I'm hoping to keep the rest of the line and just replace the "sensitive" data.
Look at the command "SEDCMD"in the props.conf, at index time.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Data/Anonymizedata
You probably want to use event based routing. Best thing you can do, is to set up a heavy/intermediate forwarder. This way you can set up a transforms that masks the data you like (based on regexes). You can read more about this here: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Configure_routing
You might also want to consider the following: How about not masking (=editing) the data, but instead move those specific lines to another index? You then grant access to that index only for those users that are accountable. That way you didn't edit the data, and restrict access to those who shouldn't be able to query it anyway. You find how in the same link (point 3 and 4).
Look at the command "SEDCMD"in the props.conf, at index time.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Data/Anonymizedata
Thank you, my search foo not so good, kept searching for censor.
Will give it a go.