topic Re: Unwanted masking of user name in Splunk Search

Unwanted masking of user name

_smp_ — Tue, 15 Mar 2016 21:26:44 GMT

Hello, new Splunk user here. I have some syslog events that have a field automatically extracted named "user". In the top values of this field, one of the usernames is masked as '*****'. But when I search for these events, the user name is clearly shown in the actual event data. It is also masked in the top 10. I have searched my config files for the string '*****' looking for some anonymize logic, but I can't find any. Can someone help me figure out where to look?

Re: Unwanted masking of user name

martin_mueller — Tue, 15 Mar 2016 21:56:24 GMT

One potential source would be a calculated field, check Settings -> Fields -> Calculated Fields for one overwriting user.

Re: Unwanted masking of user name

somesoni2 — Tue, 15 Mar 2016 21:58:49 GMT

When you say "when I search for these events, the user name is clearly shown in the actual event data.", what search you used? Can you try like this and see if they are actually masked.

your base search without user filter | regex user="\*\*\*\*\*"

If you see the masked values in raw data then the masking logic is implemented/configured on Indexers/Heavy forwarders.

Re: Unwanted masking of user name

_smp_ — Wed, 16 Mar 2016 12:19:52 GMT

Thanks or the reply. I did not find any.

Re: Unwanted masking of user name

_smp_ — Wed, 16 Mar 2016 12:26:46 GMT

Haha, joke's on me. I was just clicking on the "**" user in the Top 10 Values, which adds the filter `user="**"` to the search string. When I escape the asterisks, I get zero results.

So I think that explains why I see other users in the search results - because I'm a newbie. But it's still not clear why a user with that name shows up in the Top 10 Values.

Thanks for the response.

Re: Unwanted masking of user name

somesoni2 — Wed, 16 Mar 2016 14:12:02 GMT

The top list is based on occurrence of the field, so it could very well be that you've more user values masked then any other single user.

Re: Unwanted masking of user name

_smp_ — Wed, 16 Mar 2016 14:27:37 GMT

I'm not quite sure what means. When I search for 'regex user="*****"', I get no results, so to me that means the mask is not in the actual event data. So how do I figure out where Splunk is masking it for me? Or maybe I misunderstood your point.

Re: Unwanted masking of user name

dgrubb_splunk — Wed, 16 Mar 2016 16:25:39 GMT

Without further information you may have configured at search time for some data to be anonymize. This section of the Splunk Documentation speaks to it:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Anonymizedata

Re: Unwanted masking of user name

somesoni2 — Wed, 16 Mar 2016 18:08:30 GMT

Can you try this as well, just to check if raw data has masking or not (check the number of asterisks)

your base search without user filter | where user="%*%"

UPDATED

your base search without user filter | where LIKE(user,"%*%")

Re: Unwanted masking of user name

martin_mueller — Wed, 16 Mar 2016 19:46:47 GMT

Keep in mind, there is no direct way to search for a literal asterisk. You'll need to work around this, for example with the regex command to filter search results with regular expressions.

Re: Unwanted masking of user name

_smp_ — Wed, 16 Mar 2016 20:42:39 GMT

This search returns a list of events where the user value "*****" is in the top 10 values:

index=idx

This search returns nothing:

index=idx | where user="%*****%"

Re: Unwanted masking of user name

_smp_ — Wed, 16 Mar 2016 20:45:14 GMT

Thank you. Yes, that fooled me once but somesoni2 straightened me in one of his earlier replies.

Re: Unwanted masking of user name

martin_mueller — Wed, 16 Mar 2016 20:55:00 GMT

The percent signs suggest you're trying to do an SQL-style LIKE? If so, that'd work like this:

... | where LIKE(user, "%*%")

Re: Unwanted masking of user name

_smp_ — Wed, 16 Mar 2016 21:08:25 GMT

Only because that's the string somesoni2 asked me to use. It seemed odd to me, but I'm a newbie. The value of user that I see in the top ten is a set of five asterisks.

Re: Unwanted masking of user name

somesoni2 — Wed, 16 Mar 2016 21:34:53 GMT

My bad, not sure where my mind was. Martin's syntax is what you should use.

Re: Unwanted masking of user name

_smp_ — Thu, 17 Mar 2016 13:07:25 GMT

No problem, I appreciate your willingness to try and help. I realize this thread has gone beyond where it should, so I opened a support case yesterday. I'll post an update when I have one.