In this example, any file under a "secure" directory will have its email and password values replaced with dummy values.
Step 1) In props.conf tell Splunk that any files in under a "secure" directory should run our two transformation rules over the data.
[source::.../secure/...] TRANSFORMS = anonymize-email,anonymize-password
Step 2) in transforms.conf, specify two transformations, via regular expressions, for email addresses and passwords and what they should be replaced with.
# anonymizes email address as user@domain.com
[anonymize-email]
REGEX = ^(.*)(?:(?<!\w)(\w[\w\-\.]+@\w[\w\-\.]+\.[a-z]{1,4}))(.*)$
FORMAT = $1 user@domain.com $3
DEST_KEY = _raw
# anonymizes password/passwd looking values as 'password'
# examples:
# passwd=none
# LogOdbcPassword: sqllog
# file needs this password: `xxj31ZMTZzkVA'.
# user_password = '52616e646f6d49567868784027dafce21cd9c6689fc5554c'
[anonymize-password]
REGEX = (?i)^(.*passw(?:or)?d\s*[=:]\s*?)([^, \t]+)(\s*.*)$
FORMAT = $1 password $3
DEST_KEY = _raw
That's it. Any files in under a "secure" directory should have their emails addresses replaced with "user@domain.com" and their passwords replaced with "password".