Getting Data In

Can I replace a field at parsing stage with a hash (using sha2 for example)?

_karlo
Explorer

Hi answers! I would like to replace some information I get in Splunk.
For example, I get some user names (user=karlo) for example. I would like to replace this with a hash value.

I have learned about SEDCMD and transforms. In there I know I can replace some characters with XXXX-es. This will not do in this case.

Replacing the values with a hash, before getting indexed/written to disk, and using my own salt, would be very nice. Can someone provide me with a hint if this is possible, and if so: how to do it?

0 Karma
1 Solution

niketn
Legend

@_karlo, you can refer to Nimish Doshi's App on Splunkbase Encrypt and Decrypt data within Events. You can also check out his blog: https://www.splunk.com/blog/2010/01/25/encrypting-and-decrypting-fields.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

stuartidelta01
Path Finder

Note that this is now possible in Splunk 7.2 with the new ingest eval capability.

You can, for instance, apply the eval sha512 function to a field to create a new field:

https://docs.splunk.com/Documentation/Splunk/7.2.0/Data/IngestEval

0 Karma

niketn
Legend

@_karlo, you can refer to Nimish Doshi's App on Splunkbase Encrypt and Decrypt data within Events. You can also check out his blog: https://www.splunk.com/blog/2010/01/25/encrypting-and-decrypting-fields.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

micahkemp
Champion

There is no way to run code at index time once the event is presented to Splunk. So, monitor inputs, etc have no way to do this.

But, if the necessity to accomplish this exists, you can look into scripted or modular inputs to meet this need.

Basically you would write code that reads the file and does the replacement, and Splunk would call that code.

0 Karma

_karlo
Explorer

Thanks for your reply. That is unfortunate. I will wait for a shot time if someone else has some answer, and accept next week if there is no other way. Thanks.

0 Karma

micahkemp
Champion

I, too, hope my answer proves to be wrong. 🙂

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...