Splunk - Using sed to change data
Hello again everyone! This post we will be demonstrating how to use the sed command, in-line or at index time(SEDCMD) to change data the way you would like. This example I am going to use a sample JSON record to mask IP addresses. Say we have a record that looks like this:
This is a sample log but pretend its not. We don't want some people to be able to see the IP addresses. Usually we would adjust their role so they don't have access to these logs but that's for another post. So lets mask the IPs. We can do that in-line using the rex command and mode=sed then using regex to match the IP format. Once IPs match the regex we can chose what we'd like to display instead of the IP. I tend to use the same format but replace with X's.
Now we know that the replace works properly and matches all IPs.
So if we wanted to do this at index time instead you could add a line in props.conf on indexers or heavy forwarders and have it persistently catch it and change the data. Something like this:
Now we can run the search without the in-line sed replace. Just a simple search like this:
Hope this helps you get your data formatted like you want or masked/hidden like you were looking for. Come back next week for a new post.
Have a great week!