Sanitize already indexed data

There is some data that we want to sanitize in Splunk. I've already got a SEDCMD to do it for newly indexed data, but is there some way to modify the events that have already been indexed in Splunk. At worst, I will delete the events, but ideally I would like to just XXX out a specific field.

asked 08 Mar '11, 15:47

mslvrstn
284●2●10
accept rate: 45%

One Answer:

oldest newest most voted

As far as I know, once it is indexed, it is immutable. You can restrict access to the data via a role's search strings, and you can use | rex mode=sed ... to hide data at search time. Perhaps combine both to enforce a sed for a particular role?

link

answered 08 Mar '11, 16:45

Jason
3.6k●6●10●73
accept rate: 43%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

events ×167
database ×86

Asked: 08 Mar '11, 15:47

Seen: 1,472 times

Last updated: 05 Apr '11, 20:22

Sanitize already indexed data

Follow this question

Splunk Resources

Related questions