- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- i just want to extract the number from the below s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the Information in service : ID R1-7857hi75 is duplicated
i want to make it as
the Information in service : ID R1-******* is duplicated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj,
If you want to anonymise during search time you use below query
< your search> | rex mode=sed "s/(?m)(\-)(\w+)/\1xxx/g
If you want to anonymise value during index time, please add below config on props.conf in Indexer or Heavy Forwarder whichever comes first.
props.conf
[yoursourcetype]
SEDCMD-maskvalue = s/(?m)(\-)(\w+)/\1xxx/g
I hope this helps.
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @premranjithj,
If you want to anonymise during search time you use below query
< your search> | rex mode=sed "s/(?m)(\-)(\w+)/\1xxx/g
If you want to anonymise value during index time, please add below config on props.conf in Indexer or Heavy Forwarder whichever comes first.
props.conf
[yoursourcetype]
SEDCMD-maskvalue = s/(?m)(\-)(\w+)/\1xxx/g
I hope this helps.
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvania57. thanks its worked.
can you please explain me the expression. i just want to understand to form other expression
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using sed mode in rex so in expression format is s/regexp/replacement/flags, in this format s means substitute then regex (?m)(\-)(\w+) (This will find data in (?m)->multiline with pattern - (-) in first capturing group (\w+) means word with any length in second capturing group) and replacement is \1xxx (Which will replace 2nd capturing group with xxx) and flag is g (Apply the replacement to all matches to the regexp, not just the first.)
For more explanation and play with regex with your sample data please refer https://regex101.com/r/HHefSs/1
Please accept my answer and upvote it, as it worked for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsnarvania57. thanks much for making me to understand. its really good
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
