I have a task to sanitize output of the search for certain users. The data were indexed without sanitation and I cant reindex the data.
index=os | rex field=_raw mode=sed 's/acl/@/'
but i am getting Error in 'litsearch' command: Unable to parse the search: unbalanced parentheses, however the sed command works fine when used in search.
from job inspector:
( index=os ) ( ( | rex field=raw mode=sed 's/acl/@/' ) ) | fields keepcolorder=t "*" "bkt" "cd" "si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
As @somesoni2 mentioned, you can only use base search terms in the "restrict search terms" option. What you are describing is not possible in the current version of Splunk.
I would recommend that you export the events containing sensitive data (use
| fields _raw at the end of your search), use the
delete command to delete the sensitive events from the index, develop configs to sanitize the sensitive data (see http://docs.splunk.com/Documentation/Splunk/6.2.9/Data/Anonymizedatausingconfigurationfiles), and then re-index the data so that it will be sanitized at index time.
If your use case requires some users seeing sensitive data, and some not, I would suggest using data cloning to send the data to two separate indexes, and give them different sourcetypes, where one sourcetype has the SED and the other does not. Then, you can assign the corresponding indexes to each of your roles.