Hi,
I have a log
Audit:[timestamp=01-31-2013 11:51:21.164,user=admin,action=search,info=granted REST: /search/jobs/1359613261.13]
Suppose I want to mask user name, I made following configuration
trasnforms.conf
[demo]
REGEX = (?i)^(.*?)user=\w+
FORMAT = $1user=######$2
DEST_KEY = _raw
props.conf
[sourcename]
TRANSFORMS-anonymize = demo
NO_BINARY_CHECK = 1
pulldown_type = 1
But I am getting output as
Audit:[timestamp=01-31-2013 11:51:21.164,user=######$2
I am not able to figure out that why $2 is not wokring and i am not getting the event after regex. Is something wrong with regex?
I hope splunk experts can help me out here
... View more