scrub

scrub

Synopsis

Anonymizes the search results using the dictionary and configuration files found in $SPLUNK_HOME/etc/anonymizer, unless others are specified.

Syntax

scrub [public-terms=<filename>] [private-terms=<filename>] [name-terms=<filename>] [dictionary=<filename>] [timeconfig=<filename>]

Optional arguments

public-terms

Syntax: public-terms=<filename>

Description: Specify a filenname that includes the public terms to be anonymized.

private-terms

Syntax: private-terms=<filename>

Description: Specify a filenname that includes the private terms to be anonymized.

name-terms

Syntax: name-terms=<filename>

Description: Specify a filenname that includes names to be anonymized.

dictionary

Syntax: dictionary=<filename>

Description: Specify a filename that includes a dictionary of terms to be anonymized.

timeconfig

Syntax: timeconfig=<filename>

Description: Specify a filename that includes time configurations to be anonymized.

Description

Anonymizes the search results by replacing identifying data - usernames, ip addresses, domain names, etc. - with fictional values that maintain the same word length. For example, it may turn the string user=carol@adalberto.com into user=aname@mycompany.com. This lets Splunk users share log data without revealing confidential or personal information. By default the dictionary and configuration files found in $SPLUNK_HOME/etc/anonymizer are used. These can be overridden by specifying arguments to the scrub command. The arguments exactly correspond to the settings in the stand-alone CLI anonymize command, and are documented there.

Anonymizes all attributes, exception those that start with _ (except _raw) or date_, or the following attributes: eventtype, linecount, punct, sourcetype, timeendpos, timestartpos.

Examples

Example 1: Anonymize the current search results.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the scrub command.

• Was this topic useful?
• Post a comment