The command basically anonymizes the search results without affecting the raw data .This helps us in changing  the sensitive information such as password ,personal emails etc.

This can be also achieved during index time in the transforms.conf which masks the data permanently.But if the data is already ingested and we need to send the sensitive information to other vendors , the scrub command helps us to achieve it by anonyimizing the required data .

Note: Here the data is not getting masked in this feature but the information is changed 

Let us get into the insights of how the command works

If we open the backend of the instance where splunk 9.0 is installed and get into the following location

cd /opt/splunk/etc/anonymizer

We would see the following files in the location

If you want to add the anonymizer folder onto your specific app, you can place the same into the following location

/opt/splunk/etc/apps/<app name>/anonymizer


scrub [public-terms=<filename>] [private-terms=<filename>] [name-terms=<filename>] [dictionary=<filename>] [timeconfig=<filename>] [namespace=<string>]

Required Arguments: None

Optional Arguments: As discussed below

 public-terms= <fielname>

The filename  is the file specified in the anonymizer folder which includes public terms in our data that does not need to be anonymized


File name is the file which we added in the anonymizer folder which include terms to be anonymized.


This includes names which are needed to be anonymized


This includes dictionary of the terms which are not requried to be anonymized  unless those terms are kept in the private-terms file .

Namespace = <string>

Here we can use the application containing  files which can be used for anonymizing instead of the built-in files  from the folder

Let us learn about the some arguments with examples below

 Here we have monitored a csv file which looks like as shown in the image below

The original data before applying the scrub command

Let us apply the scrub command without any arguments

The purpose of “scrub” is to anonymize the data .Here it has changed the raw data in to completely different data as shown in the image above

Now adding a field named “Avotrix” in the public-terms.txt file

 The purpose of public-terms as discussed above is anonymizing all the data except the field if found in the public-terms.txt .Here lets anonymize all the data except the company name ie “Avotrix”. So adding “Avotrix” in the public-terms.txt file and using the scrub command as shown below

vi /opt/splunk/etc/annonymizer/public-terms.txt

Here since we have added Avotrix name into our public-terms.txt file ,all the field values have been anonymized except the field company_name which we specified to remain public

If you have other file in the anonymizer folder where you want to show the public value you can mentioned it in the public-terms arguments

 Let us create a files of our own in the anonymizer directory for working out with private argument as well as public argument.The data looks as shown before applying the scrub command

Here we are anonymizing the data with our own files as mentioned in the anonymizer folder as shown below

We have created files name change.txt to be specified in the private-terms argument and public.txt to be specified in the public-terms argument

Using the scub command and providing the arguments the following changes are observed:

As specified in the change.txt , field name Mumbai and Navi Mumbai have been anonymized to new name whereas field name Delhi ,Pune and Avotrix remain public as mentioned in the public-terms argument

If you still have any doubt regarding applying scrub command in splunk query , Feel free to Ask your Doubts in the Comment Section below ,give your ratings and Don’t Forget to Follow us on 👍 Social Networks.| Happy Splunking 😉