In your props.conf for the source-type add a SEDCMD possibly like this.
SEDCMD-email = s/[\w!#$%&'+=?^_‘{|}~.-]+@(?:[\w!#$%&'+=?^_‘{|}~.-]+)*/XXXXX@EMAIL/g
https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_script
... View more
Custom searches are probably your best bet
https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/Writeasearchcommand
https://www.youtube.com/watch?v=dc89nCWY35c
... View more
Using dedup on multiple fields with the comma isn't only working on the first field. It is actually removing events where the host and IP BOTH match.
... View more