All,
I have data flowing through a heavy forwarder. Security wants a SECOND heavy forwarder that they manage to SEDCMD out certain PII. Is it possible to reprocess already cooked data?
No. Once the data is passed the parsing phase it cannot go back. Even worse, you could end up with a situation where the events from a search show the SEDCMD data, but the interesting fields and _raw show the original data.