Splunk Cloud Platform

Search Reference



Anonymizes the search results by replacing identifying data - usernames, ip addresses, domain names, and so forth - with fictional values that maintain the same word length. For example, it might turn the string user=carol@adalberto.com into user=aname@mycompany.com. This lets Splunk users share log data without revealing confidential or personal information.

See the Usage section for more information.


scrub [public-terms=<filename>] [private-terms=<filename>] [name-terms=<filename>] [dictionary=<filename>] [timeconfig=<filename>] [namespace=<string>]

Required arguments


Optional arguments

Syntax: public-terms=<filename>
Description: Specify a filename that includes the public terms NOT to anonymize.
Syntax: private-terms=<filename>
Description: Specify a filename that includes the private terms to anonymize.
Syntax: name-terms=<filename>
Description: Specify a filename that includes the names to anonymize.
Syntax: dictionary=<filename>
Description: Specify a filename that includes a dictionary of terms NOT to anonymize, unless those terms are in the private-terms file.
Syntax: timeconfig=<filename>
Description: Specify a filename that includes the time configurations to anonymize.
Syntax: namespace=<string>
Description: Specify an application that contains the alternative files to use for anonymizing, instead of using the built-in anonymizing files.


By default, the scrub command uses the dictionary and configuration files that are located in the $SPLUNK_HOME/etc/anonymizer directory. These default files can be overridden by specifying arguments to the scrub command. The arguments exactly correspond to the settings in the splunk anonymize CLI command. For details, issue the splunk help anonymize command.

You can add your own versions of the configuration files to the default location.

Alternatively, you can specify an application where you maintain your own copy of the dictionary and configuration files. To specify the application, use the namespace=<string> argument, where <string> is the name of the application that corresponds to the name that appears in the path $SPLUNK_HOME/etc/apps/<app>/anonymizer.

If the $SPLUNK_HOME/etc/apps/<app>/anonymizer directory does not exist, the Splunk software looks for the files in the $SPLUNK_HOME/etc/slave-apps/<app>/anonymizer directory.

The scrub command anonymizes all attributes, except those that start with underscore ( _ ) except _raw) or start with date_. Additionally, the following attributes are not anonymized: eventtype, linecount, punct, sourcetype, timeendpos, timestartpos.

The scrub command adheres to the default maxresultrows limit of 50000 results. This setting is documented in the limits.conf file in the [searchresults] stanza. See limits.conf in the Admin Manual.


1. Anonymize the current search results using the default files.

... | scrub

2. Anonymize the current search results using the specified private-terms file.

This search uses the abc_private-terms file that is located in the $SPLUNK_HOME/etc/anonymizer directory.

... | scrub private-file=abc_private-terms

Last modified on 22 July, 2020
script   search

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters