Hi answers! I would like to replace some information I get in Splunk.
For example, I get some user names (user=karlo) for example. I would like to replace this with a hash value.
I have learned about SEDCMD and transforms. In there I know I can replace some characters with XXXX-es. This will not do in this case.
Replacing the values with a hash, before getting indexed/written to disk, and using my own salt, would be very nice. Can someone provide me with a hint if this is possible, and if so: how to do it?
@_karlo, you can refer to Nimish Doshi's App on Splunkbase Encrypt and Decrypt data within Events. You can also check out his blog: https://www.splunk.com/blog/2010/01/25/encrypting-and-decrypting-fields.html
Note that this is now possible in Splunk 7.2 with the new ingest eval capability.
You can, for instance, apply the eval sha512 function to a field to create a new field:
https://docs.splunk.com/Documentation/Splunk/7.2.0/Data/IngestEval
@_karlo, you can refer to Nimish Doshi's App on Splunkbase Encrypt and Decrypt data within Events. You can also check out his blog: https://www.splunk.com/blog/2010/01/25/encrypting-and-decrypting-fields.html
There is no way to run code at index time once the event is presented to Splunk. So, monitor
inputs, etc have no way to do this.
But, if the necessity to accomplish this exists, you can look into scripted or modular inputs to meet this need.
Basically you would write code that reads the file and does the replacement, and Splunk would call that code.
Thanks for your reply. That is unfortunate. I will wait for a shot time if someone else has some answer, and accept next week if there is no other way. Thanks.
I, too, hope my answer proves to be wrong. 🙂