https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697687#M236982 <P>HI,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR />I need to find secrets (passwords, api-tokens, etc.) in all data (events) in all indexes that are in splunk, the question is in the approach: how to do this so as not to overload splunk.</P> Thu, 29 Aug 2024 09:40:07 GMT user487596 2024-08-29T09:40:07Z https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697680#M236980 <P>Hello everyone! How can we solve the problem of searching for secrets in all or some splunk indexes so that splunk is not heavily loaded: how can this be implemented? (approach).&nbsp;</P><P>It is obvious that the list of indexes needs to be limited. What else?</P> Thu, 29 Aug 2024 08:38:50 GMT https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697680#M236980 user487596 2024-08-29T08:38:50Z https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697686#M236981 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268899">@user487596</a>&nbsp;,</P><P>could you better describe your requisite?</P><P>In Splunk access to data is managed at index level, in other words, you can define for each role, which are the indexes that the users with that role can access.</P><P>In addition, it's also possible to add some additional restrictions, but always at Role level, not user level.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 29 Aug 2024 09:34:51 GMT https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697686#M236981 gcusello 2024-08-29T09:34:51Z https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697687#M236982 <P>HI,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR />I need to find secrets (passwords, api-tokens, etc.) in all data (events) in all indexes that are in splunk, the question is in the approach: how to do this so as not to overload splunk.</P> Thu, 29 Aug 2024 09:40:07 GMT https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697687#M236982 user487596 2024-08-29T09:40:07Z https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697688#M236983 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268899">@user487596</a>&nbsp;,</P><P>Splunk is a search engine, so you can use it for this:</P><P>you must know the rules (e.g. searching for the password word) and then apply to the indexes.</P><P>At first I'd start identifying the login and create user actions for each environment in your infrastructure (e.g. in windows these action are identifed with EventCode = 4624 and 4720), then you can run searches with those specific filters to see if there are clear text passwords.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 29 Aug 2024 09:46:29 GMT https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697688#M236983 gcusello 2024-08-29T09:46:29Z https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697982#M237077 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,&nbsp;It's pretty clear what to look for, the question is how to do it in all indexes without loading splunk</P> Mon, 02 Sep 2024 12:54:02 GMT https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697982#M237077 user487596 2024-09-02T12:54:02Z https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697984#M237079 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268899">@user487596</a>&nbsp;,</P><P>sorry but I don't understand: what do you mean with "<SPAN>in all indexes without loading splunk"?</SPAN></P><P><SPAN>You could use APIs to access Splunk from your application without using the Splunk GUI.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Mon, 02 Sep 2024 13:06:27 GMT https://community.splunk.com/t5/Splunk-Search/searching-in-splunk-indexes/m-p/697984#M237079 gcusello 2024-09-02T13:06:27Z