topic Re: mask anonymize data by role in Getting Data In

mask anonymize data by role

amitosr — Mon, 19 Dec 2011 21:54:17 GMT

Is there a way to mask or anonymize data in splunk by role such that one role (such as Admin) can see all the data on splunk however another role (such as user1)can only see the masked or anonymized data.

Re: mask anonymize data by role

amitosr — Tue, 20 Dec 2011 23:08:03 GMT

Wow i thought i could have it answered here, i will update once i get a solution to this :). Waiting on a response from Splunk support.

Re: mask anonymize data by role

amitosr — Mon, 09 Jan 2012 22:22:02 GMT

No solution yet.!!

Re: mask anonymize data by role

Damien_Dallimor — Mon, 09 Jan 2012 23:34:49 GMT

I don't know of a way to do this with Splunk's role based permissions on objects or at search time.

A potential solution/hack , albeit not very "license volume efficent", might be to index the data twice.
Index A indexes the data in plaintext , Index B indexes the same data but anonymized.

And then make Index A only readable to those in the admin role and Index B readable to those in the user1 role.

Re: mask anonymize data by role

gcoles — Mon, 09 Jan 2012 23:58:47 GMT

Yes this is what I would suggest, as well. I'd use saved searches to pipe the search results through a custom command that scrubs the fields out of the data and writes a copy of every record into another index. Since this would not be running through any of the inputs it would not count against licensing volume (as with summary indexing), but would require additional disk.

Re: mask anonymize data by role

qodeninja — Wed, 31 Jul 2019 14:31:28 GMT

Splunk doesn't have a mechanism to anonymize data at search time - it can only anonymize it at index-time.

To protect indexed sensitive data, you would need to filter it based on role to prevent access.