Getting Data In

Is there any sensitive data in the _internal index


Hi Splunkers,

We have a macro here we're using to allow users to search their previous search history. It relies on the searches.log contained in the _internal index.

In principal, at least from what i've used the _internal index for (metrics, search log etc) I haven't come across any events in there that are particularly operationally sensitive.

Was wondering if there are any potential "gotchas" that could be lurking there that I should be aware of, without actually trawling all the logs looking for sensitive stuff.

The intention is to allow _internal index access to the user role in our environment.

Cheers, Marcus

Tags (2)


I think one of the biggest security problems concerns the searchterms because all searches would become visible. For example if an admin is doing some searches and during the course of that they click on a particular social security number in the UI, that becomes a search so the number of course appears in searches.log and now all the regular users can see that number.

So if there are any indexes that only users with special roles can search, you're leaving a bit of a hole. On the other hand, if there are no such indexes in your system, this particular problem dissappears.

I cant think of much that's left. Traffic analysis and maybe searchterm analysis on what the other splunk users are searching for.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!