https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251216#M75052 <P>I have created an alert with user name password fields such that the alert in savedsearches.conf has<BR /> action.creds_transfer.param.username= aaa<BR /> action.creds_transfer.param.password = test</P> <P>where creds_transfer is an alert action</P> <P>I need to read all searches with this action and encrypt the password since it is in clear text.<BR /> How can i do that?<BR /> Thanks</P> Tue, 29 Sep 2020 07:59:49 GMT GauriSplunk 2020-09-29T07:59:49Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251216#M75052 <P>I have created an alert with user name password fields such that the alert in savedsearches.conf has<BR /> action.creds_transfer.param.username= aaa<BR /> action.creds_transfer.param.password = test</P> <P>where creds_transfer is an alert action</P> <P>I need to read all searches with this action and encrypt the password since it is in clear text.<BR /> How can i do that?<BR /> Thanks</P> Tue, 29 Sep 2020 07:59:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251216#M75052 GauriSplunk 2020-09-29T07:59:49Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251217#M75053 <P>This uses rot13-encoding to obscure:</P> <PRE><CODE>|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "grfg" </CODE></PRE> Thu, 26 Nov 2015 00:01:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251217#M75053 woodcock 2015-11-26T00:01:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251218#M75054 <P>Thanks for your response.<BR /> couple of questions<BR /> Does saved/searches command also read searches from local/savedsearches.conf?<BR /> Where do i add this command? How can i call this from a python script?.<BR /> Can i run it using curl?</P> <P>This is how my alert looks in local/savedsearches.conf. I dont want the password here to be cleartext.</P> <P>[test-alert]<BR /> action.creds_transfer = 1<BR /> action.creds_transfer.param.password = coolio<BR /> action.creds_transfer.param.username = test<BR /> alert.suppress = 0<BR /> alert.track = 0<BR /> counttype = number of events<BR /> cron_schedule = 0 1 * * *<BR /> description = test Alert<BR /> dispatch.earliest_time = -1d<BR /> dispatch.latest_time = now<BR /> enableSched = 1<BR /> quantity = 0<BR /> relation = equal to<BR /> run_on_startup = 1<BR /> search = *</P> Tue, 29 Sep 2020 07:58:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251218#M75054 GauriSplunk 2020-09-29T07:58:28Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251219#M75055 <P>i ran this on splunk search <BR /> |rest /servicesNS/admin/infoblox/saved/searches action.creds_transfer.param.username = "test" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "coolio"<BR /> it gives me this error:<BR /> Error in 'rest' command: Invalid argument: 'action.creds_transfer.param.username' </P> Tue, 29 Sep 2020 07:59:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251219#M75055 GauriSplunk 2020-09-29T07:59:57Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251220#M75056 <P>I had a mistake, please try again with updated answer text.</P> Thu, 26 Nov 2015 02:43:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251220#M75056 woodcock 2015-11-26T02:43:06Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251221#M75057 <P>It doesn't work that way.</P> Thu, 26 Nov 2015 02:43:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251221#M75057 woodcock 2015-11-26T02:43:25Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251222#M75058 <P>ok. i tried with<BR /> |rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa" <BR /> and it didnt give error but also i did not get any results.<BR /> When i do |rest /servicesNS/-/-/saved/searches , I see the results and the value for action.creds_transfer.param.username.<BR /> but when i put where clause i do not see any results.<BR /> I also tried with other values instead of username and for those too i did not get any results.</P> <P>is the syntax correct?<BR /> Thanks<BR /> -Gauri</P> Tue, 29 Sep 2020 08:00:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251222#M75058 GauriSplunk 2020-09-29T08:00:02Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251223#M75059 <P>You have to rot13-encode <CODE>coolio</CODE> so use <CODE>pbbyvb</CODE>:</P> <P><A href="http://www.rot13.com">http://www.rot13.com</A></P> <P>I assumed the whole purpose was to obfuscate plain-text passwords in your search and search results, which this approach does.</P> Thu, 26 Nov 2015 18:52:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251223#M75059 woodcock 2015-11-26T18:52:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251224#M75060 <P>Hello Gauri, </P> <P>Using the rot13-encoding is reversible especially since you are doing it via rex so anyone that can see what the search is will know what is replaced by what and decode it. I advise you to have a look at :</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Cryptographic_functions">http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Cryptographic_functions</A></P> <P>Using hash functions such as :</P> <PRE><CODE>... | eval n=md5(field) </CODE></PRE> <P>Or</P> <PRE><CODE>.. | eval n=sha512(field) </CODE></PRE> <P>Is safer and not reversible.</P> <P>Regards,<BR /> David</P> Mon, 09 May 2016 09:23:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-read-all-searches-with-a-specific-action-in/m-p/251224#M75060 DavidHourani 2016-05-09T09:23:03Z