Event Breaking & Transformations

Event breaking determines where one event ends and the next begins. Splunk uses SHOULD_LINEMERGE, BREAK_ONLY_BEFORE, and LINE_BREAKER in props.conf to control this.

You can mask or delete sensitive data at index time using SEDCMD in props.conf or REGEX/FORMAT in transforms.conf. This is critical for PCI/HIPAA compliance.

Routing sends events to specific indexes based on content using transforms.conf with REGEX and DEST_KEY = _MetaData:Index.

[source::payment.log]
SEDCMD-mask_cc = s/(\d{4})\d{8}(\d{4})/\1XXXXXXXX\2/g