There is some data that we want to sanitize in Splunk. I've already got a SEDCMD to do it for newly indexed data, but is there some way to modify the events that have already been indexed in Splunk. At worst, I will delete the events, but ideally I would like to just XXX out a specific field.
asked 08 Mar '11, 15:47
As far as I know, once it is indexed, it is immutable. You can restrict access to the data via a role's search strings, and you can use
answered 08 Mar '11, 16:45