https://community.splunk.com/t5/Splunk-Dev/How-do-you-redact-data-that-s-already-indexed/m-p/420893#M7380 <P>We currently index logs into index=indexY at a rate of 2G – 5G a day with the retention set to 12 months.</P> <P>One day last week, a code update started logging the user and password into the log in the form of ‘password=changeme’. Our Splunk environment is certified non-pci/non-private data and needs to remain so. We need to retain the event data due to security best practices, it is the event for access to a critical services, however the field needs to be redacted. </P> <P>What are the best options for retaining the data while scrubbing the field? For instance 'password=change' should be redacted to 'password=SCRUBBED' or removed entirely. Please consider that that data at rest cannot contain confidential data, so masking it at the Search Head is not a viable solution.</P> Tue, 22 Jan 2019 14:07:42 GMT lostbeatnik01 2019-01-22T14:07:42Z https://community.splunk.com/t5/Splunk-Dev/How-do-you-redact-data-that-s-already-indexed/m-p/420893#M7380 <P>We currently index logs into index=indexY at a rate of 2G – 5G a day with the retention set to 12 months.</P> <P>One day last week, a code update started logging the user and password into the log in the form of ‘password=changeme’. Our Splunk environment is certified non-pci/non-private data and needs to remain so. We need to retain the event data due to security best practices, it is the event for access to a critical services, however the field needs to be redacted. </P> <P>What are the best options for retaining the data while scrubbing the field? For instance 'password=change' should be redacted to 'password=SCRUBBED' or removed entirely. Please consider that that data at rest cannot contain confidential data, so masking it at the Search Head is not a viable solution.</P> Tue, 22 Jan 2019 14:07:42 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-you-redact-data-that-s-already-indexed/m-p/420893#M7380 lostbeatnik01 2019-01-22T14:07:42Z https://community.splunk.com/t5/Splunk-Dev/How-do-you-redact-data-that-s-already-indexed/m-p/420894#M7381 <P>HI</P> <P>there is a new function called ingest_eval. This lets you mask data at index time. I think its included since 7.2</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/IngestEval">https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/IngestEval</A></P> Tue, 22 Jan 2019 17:30:20 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-you-redact-data-that-s-already-indexed/m-p/420894#M7381 dkeck 2019-01-22T17:30:20Z https://community.splunk.com/t5/Splunk-Dev/How-do-you-redact-data-that-s-already-indexed/m-p/420895#M7382 <P>Hi @lostbeatnik01,</P> <P>You can't alter indexed data so only option is to remove those data, you can use <CODE>| delete</CODE> command which hides data from searching but it will not remove data from server and to use this command you need <CODE>can_delete</CODE> capability in role, even admin role does not have this capability by default.</P> <P>To anonymize any new data you can use <CODE>SEDCMD-</CODE> or combination of props and transforms, have a look at document <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata">https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata</A></P> Wed, 23 Jan 2019 10:18:13 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-you-redact-data-that-s-already-indexed/m-p/420895#M7382 harsmarvania57 2019-01-23T10:18:13Z