scrub
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
scrub
Synopsis
Anonymizes the search results.
Syntax
scrub [public-terms=filename] [private-terms=filename] [name-terms=filename] [dictionary=filename] [timeconfigfilename]
Arguments
- public-terms
- Datatype: <filename>
- Description:
- private-terms
- Datatype: <filename>
- Description:
- name-terms
- Datatype: <filename>
- Description:
- dictionary
- Datatype: <filename>
- Description: By default the dictionary and configuration files found in $splunk_home/etc/anonymizer are used
Description
Anonymizes the search results by replacing identifying data - usernames, ip addresses, domain names, etc. - with fictional values that maintain the same word length. For example, it may turn the string user=carol@adalberto.com into user=aname@mycompany.com. This lets Splunk users share log data without revealing confidential or personal information. By default the dictionary and configuration files found in $splunk_home/etc/anonymizer are used. These can be overridden by specifying arguments to the scrub command. The arguments exactly correspond to the settings in the stand-alone splunk anonymize command, and are documented there. Anonymizes all attributes, exception those that start with _ (except _raw) or date_, or the following attributes: eventtype, linecount, punct, sourcetype, timeendpos, timestartpos.
Examples
Example 1: Anonymize the current search results.
... | scrubThis documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.