Hello everybody,
I am new to Splunk and I try to anonymize an email adress of my Logfile with the help of files props.conf and transforms.conf.
I copied the files into the etc/system/local directory and adopt them like this:
props.conf:
[MyLog]
TRANSFORMS-anonymize = email-anonymizer
transforms.conf:
[email-anonymizer]
DEST_KEY = raw
REGEX = ([a-zA-Z0-9.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+)
FORMAT = *********
This is a row of my sample Logfile:
Oct 26 09:38:24 AAA123 BBB adhjjd adjhah massss@web.de dkjasd adkdsjkd
I stopped Splunk, cleaned the index and started Splunk new. The source name of my Logfile is "MyLog".
Thats what Splunk made out of it:
10/26/17 9:38:24.000 AM *********
I also tried FORMAT=$1*****$2, to concat the strings, but this does not work at all.
Can anybody please give me a hint, what I'm doing wrong or if it is better to use a sed cmd?
Thanks in advance
Mel
... View more