Search
  • Todd Waller

Splunk - Using sed to change data

Hello again everyone! This post we will be demonstrating how to use the sed command, in-line or at index time(SEDCMD) to change data the way you would like. This example I am going to use a sample JSON record to mask IP addresses. Say we have a record that looks like this:


This is a sample log but pretend its not. We don't want some people to be able to see the IP addresses. Usually we would adjust their role so they don't have access to these logs but that's for another post. So lets mask the IPs. We can do that in-line using the rex command and mode=sed then using regex to match the IP format. Once IPs match the regex we can chose what we'd like to display instead of the IP. I tend to use the same format but replace with X's.



Now we know that the replace works properly and matches all IPs.


So if we wanted to do this at index time instead you could add a line in props.conf on indexers or heavy forwarders and have it persistently catch it and change the data. Something like this:




Now we can run the search without the in-line sed replace. Just a simple search like this:




Hope this helps you get your data formatted like you want or masked/hidden like you were looking for. Come back next week for a new post.

Have a great week!


159 views0 comments

Recent Posts

See All

Do you need to dedup when using stats?

I had to do some casual counting of sourcetypes today. In the process I was trying to decide if I needed to dedup before going to stats. It seemed to me a dedup would, in theory, pass less data to sta

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a