Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Encrypt data during anonymization

hmozaffari
Path Finder
‎05-19-2015 12:59 PM

Referring to instruction of anonymization in page bellow:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles

During indexing, instead of replacing a field value with literals, I would like to apply a function on it (for example encrypt it) 

[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw

For example instead of replacing SessionId=3A1785URH117BEA with SessionId=######## , I would like to replace it with a runtime value result of applying a function (like encryption function ).

This way I'll have a mechanism to get the original values if needed.

Has anybody come up with a solution for that.
Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎05-11-2019 12:32 PM

There is a hot new product called Cribl that is a swiss-army-knife to backfill all of the things that splunk should do but doesn't/can't. I passed this on to them and they should comment (@clintsharp, @dritan).

0 Karma
Reply

manuelostertag
Path Finder
‎09-13-2019 06:28 AM

Hi Gregg,

thanks for the hint, it seems this tool could solve my problem described at 771002.

I will take a look at this tool.

0 Karma
Reply

jpass
Contributor
‎05-05-2019 09:40 PM

Splunk 6.6 introduced cryptographic functions md5() sha1() etc.

You can encrypt fields at index time using these functions along with INGEST_EVAL.

You can also use calculated fields in props.conf to encrypt fields at search time. But one can easily view the source of the log data to see unencrypted values if done at search time.

See: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/CryptographicFunctions

0 Karma
Reply

mihenn
Path Finder
‎05-05-2019 10:34 PM

This way you can generate hashes. But it isn´t possible to revert this to get the original value. There is no password or certificate based encryption implemented in Splunk yet. As far as I know.

0 Karma
Reply

Tapan_12345
New Member
‎10-22-2018 10:53 PM

I am also searching for something similar. My requirement is I should be able to decrypt fields or rex pattern by supplying "KEY" on the search box . I did some search and found the best way to do is to write custom search command and feed the search result to this search command by eval function. The underlining decryption may be written in python sdk using mapper.

Please let me know

0 Karma
Reply

woodcock
Esteemed Legend
‎05-19-2015 01:24 PM

You are going to have to do this with a pre-parser (outside of Splunk); it is pretty easy.

0 Karma
Reply

gesman
Communicator
‎05-19-2015 01:56 PM

You mean: log.txt -> postprocessed to -> log_processed.txt -> indexing only log_processed.txt files ?

0 Karma
Reply

hmozaffari
Path Finder
‎05-20-2015 05:28 AM

Well, it works when batch processing files. But in case of real time monitoring files or TCP/UDP it is ideal to leave encryption to Splunk.

0 Karma
Reply

mihenn
Path Finder
‎04-03-2018 08:44 AM

How do you do this in Splunk? I can't find any encryption function.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-19-2015 08:30 PM

Yes, exactly.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top