000220170822013085255 017 AWS not associated with salary Number ASSD-BUS-0000 1
000220170822013085259 017 AWS not associated with salary Number ASN-BUS-0000
i want to sentence to be:
AWS not associated with salary Number ASSD-BUS-0000 1
AWS not associated with salary Number ASN-BUS-0000
Assuming the first 3 words in the sentence are in a single field called FirstThreeWords
, you can do something like this:
| rex field=FirstThreeWords "(?<LastWord>\S+$)"
Then use LastWord
in your sentence.
Or assuming that you need to strip the first 2 words of your Sentence
field, you can do something like this:
| rex field=Sentence mode=sed "s/^\S+\s+\S+\s+//"
hey @premranjithj
1) If you want to remove a number from an event from splunk indexers then you will have to use index-time field extractions.
Refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Anonymizedata#Anonymize_data_with_a_regular_e...
2) If you want to remove a number from an event during search time then you can use regex
index=your_index | rex field=_raw "\d+\s\d+\s(?P<AWS_data>.*)"
Let me know if this helps!
@premranjithj, do you want to do this at index time or search time?
or if all you really want is just the results starting with AWS:
| rex field=sentence "^.*(?<show>AWS.*$)" | table show
(thanks niketnilay, I keep forgetting to use the code button)
@MonkeyK you would need to post your code with the code button so that it does not escape.
is this you want or something else, please clarify -
Anonymize data
This topic discusses how to anonymize data that comes into Splunk Enterprise, such as credit card and Social Security numbers.
You might want to mask sensitive personal data when indexing log events. Credit card numbers and social security numbers are two examples of data that you might not want to appear in an index. This topic describes how to mask part of confidential fields to protect privacy while providing enough remaining data for use in tracking events.
Splunk Enterprise lets you anonymize data in two ways:
Through a regular expression (regex) transform
Through a sed script
http://docs.splunk.com/Documentation/Splunk/6.2.8/Data/Anonymizedatausingconfigurationfiles