Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Anonymize data based on user role

soe_hlawin
Explorer
‎09-26-2013 07:32 PM

How to mask or Anonymize data in Splunk 5.0.4 based on role, such that one role (such as Admin) can search and see the data as it was indexed whereas another (such as User) can search and see only masked data ?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2013 12:47 AM

I think you could create a scripted lookup in python, put this into transforms.conf to run automatically for all your sourcetypes or hosts or whatever is easier.

scripted lookups:
http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

Although what you're doing isn't really "looking up" anything per se, you have all of python at your disposal and you are free to modify any and all field values as they pass through your automatic lookup.

And then I think you can have a particular transform only take effect for certain roles? That part I'm not sure about but as a last resort you could in theory put the role logic into the python too. Avoid actually making rest calls at all costs. Hopefully the role is available somehow in the arguments to the scripted lookup, but as a last resort you could have some other automation create an easy-to-access manifest of users and roles to get the information cheaply.

There are however a number of pretty bad problems you'll then run into. For one thing users seeing the anonymized text will still be able to click on things, but they'll always get zero results for such searches (zero at best. 😃

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-28-2013 12:47 AM

I think you could create a scripted lookup in python, put this into transforms.conf to run automatically for all your sourcetypes or hosts or whatever is easier.

scripted lookups:
http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

Although what you're doing isn't really "looking up" anything per se, you have all of python at your disposal and you are free to modify any and all field values as they pass through your automatic lookup.

And then I think you can have a particular transform only take effect for certain roles? That part I'm not sure about but as a last resort you could in theory put the role logic into the python too. Avoid actually making rest calls at all costs. Hopefully the role is available somehow in the arguments to the scripted lookup, but as a last resort you could have some other automation create an easy-to-access manifest of users and roles to get the information cheaply.

There are however a number of pretty bad problems you'll then run into. For one thing users seeing the anonymized text will still be able to click on things, but they'll always get zero results for such searches (zero at best. 😃

Reply
Solved! Jump to solution

soe_hlawin
Explorer
‎10-22-2013 03:15 AM

Hi, I finally managed to find a way to get the user info to the external lookup script. But this approach doesn't suffice the requirement.
As per the said approach, I was supposed to input and output _raw from the lookup script. This is not working, and I doubt if it is feasibile. With a _raw input, I am able to output any other field but not _raw. Any clue?

0 Karma
Reply
Solved! Jump to solution

soe_hlawin
Explorer
‎10-16-2013 08:45 PM

Hi, point noted. But I am unable to retrieve the user/role in the python script to have the logic implemented.
To have the user/role in the search results as a field, one has to deliberatly pipe some command. This defeats my purpose for role based masking.

Any suggestion about how to send user/role info to the external scripted automated lookup?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...