Getting Data In

How to mask the indexed data in Splunk cloud?

sathiyasun
Explorer

There are few events already indexed the sensitive info in Splunk SaaS cloud. how to mask those sensitive data in the events. or events delete option to restrict user not to view those events. Please advise.

Splunk SaaS cloud.

Example event: 
{"@timestamp":"2023-05-14T15:32:07.449Z", "log.level": "Msg", "labels.message":"system Authenticate customer :dda9c1ad-2df1-ehetiokhnergiwre453644836-sgnreg346893 PAN1 123456789 request AuthVerificationRequest(authRequest=null, accountNumber=null, pan=123456789, pin=0987654321pcw/5, txnsubtypcde=Full_pan_Lookup)" , "ecs.version": "1.2.0","process.thread.name":"http-nio-8080-exec-150","log.logger":"com","labels.appId":"IVR-BEE","labels.appVersion":"1","labels.channelId":"ACIVR","labels.correlationId":"ujb6678879-2df1-4a32-83e5-4198dbcfe913","labels.flow-id":"AUTH-PIN","labels.interactionId":"5646540-8a2c-4893kr-58434","labels.tenantId":"lll","labels.url":"/digital-auth/engineering/authenticateuser/v1/auth"}

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

From the security point of view - probably the only acceptable solution would be to drop the index altogether and re-ingest the data from scratch - this time properly with sensitive data masked/removed. That of course costs your license usage.

You could try to fiddle with masking and collecting to another index but again - collect with a sourcetype other than stash incurs license usage.

As @isoutamo already pointed out, the delete command marks the events as unsearchable but they are still contained within the buckets so they might be readable by examining raw buckets content which is probably not OK by your compliance dept.

Any form of search-time manipulation within splunk itself is indeed bypassable relatively easy and it can be seen only as a way to hide some event parts for making work with some parts of data more convenient but not as a security control (at least not an effective one).

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

if the event is written on bucket then users could always see it somehow if they have access to this index. At least I didn't know any way how to avoid this. There are some ways to do this little bit harder but now way to make it impossible. 

So your only ways to disable users see it is restrict access to this index or "delete" those from index. 

For deleting it you need can_delete capability added to your account. I propose that you add it just temporary and remove it as soon as you have deleted those from index. BUT remember that even delete command cannot remove events from bucket/disk, it just mark those so that searches didn't shows those.

How to delete? Just create search which found only those event which has sensitive content and when you are happy with it then pipe it to delete command like

index=<your indexes> <your search which founds only those events which you want to remove>
| delete

r. Ismo 

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...