Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

scrub

Description

Anonymizes the search results by replacing identifying data - usernames, ip addresses, domain names, and so forth - with fictional values that maintain the same word length. For example, it might turn the string user=carol@adalberto.com into user=aname@mycompany.com. This lets Splunk users share log data without revealing confidential or personal information.

See the Usage section for more information.

Syntax

scrub [public-terms=<filename>] [private-terms=<filename>] [name-terms=<filename>] [dictionary=<filename>] [timeconfig=<filename>] [namespace=<string>]

Required arguments

None

Optional arguments

public-terms
Syntax: public-terms=<filename>
Description: Specify a filename that includes the public terms NOT to anonymize.
private-terms
Syntax: private-terms=<filename>
Description: Specify a filename that includes the private terms to anonymize.
name-terms
Syntax: name-terms=<filename>
Description: Specify a filename that includes the names to anonymize.
dictionary
Syntax: dictionary=<filename>
Description: Specify a filename that includes a dictionary of terms NOT to anonymize, unless those terms are in the private-terms file.
timeconfig
Syntax: timeconfig=<filename>
Description: Specify a filename that includes the time configurations to anonymize.
namespace
Syntax: namespace=<string>
Description: Specify an application that contains the alternative files to use for anonymizing, instead of using the built-in anonymizing files.

Usage

By default, the scrub command uses the dictionary and configuration files that are located in the $SPLUNK_HOME/etc/anonymizer directory. These default files can be overridden by specifying arguments to the scrub command. The arguments exactly correspond to the settings in the splunk anonymize CLI command. For details, issue the splunk help anonymize command.

You can add your own versions of the configuration files to the default location.

Alternatively, you can specify an application where you maintain your own copy of the dictionary and configuration files. To specify the application, use the namespace=<string> argument, where <string> is the name of the application that corresponds to the name that appears in the path $SPLUNK_HOME/etc/apps/<app>/anonymizer.

If the $SPLUNK_HOME/etc/apps/<app>/anonymizer directory does not exist, the Splunk software looks for the files in the $SPLUNK_HOME/etc/slave-apps/<app>/anonymizer directory.

The scrub command anonymizes all attributes, except those that start with underscore ( _ ) except _raw) or start with date_. Additionally, the following attributes are not anonymized: eventtype, linecount, punct, sourcetype, timeendpos, timestartpos.

The scrub command adheres to the default maxresultrows limit of 50000 results. This setting is documented in the limits.conf file in the [searchresults] stanza. See limits.conf in the Admin Manual.

Examples

1. Anonymize the current search results using the default files.

... | scrub

2. Anonymize the current search results using the specified private-terms file.

This search uses the abc_private-terms file that is located in the $SPLUNK_HOME/etc/anonymizer directory.

... | scrub private-file=abc_private-terms

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the scrub command.

PREVIOUS
script
  NEXT
search

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.1.1


Comments

This command appears to have an undocumented (and inescapable?) limit of 50000 events. What are the full details?

Woodcock
April 25, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters