Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I use sed in Restrict search terms to sanitize on search

buckiboy
New Member
‎08-03-2016 06:21 AM

I have a task to sanitize output of the search for certain users. The data were indexed without sanitation and I cant reindex the data.

example:
index=os | rex field=_raw mode=sed 's/acl/@/'

but i am getting Error in 'litsearch' command: Unable to parse the search: unbalanced parentheses, however the sed command works fine when used in search.

from job inspector:
( index=os ) ( ( | rex field=_raw mode=sed 's/acl/@/' ) ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

0 Karma
Reply

masonmorales
Influencer
‎08-03-2016 12:05 PM

As @somesoni2 mentioned, you can only use base search terms in the "restrict search terms" option. What you are describing is not possible in the current version of Splunk.

I would recommend that you export the events containing sensitive data (use | fields _raw at the end of your search), use the delete command to delete the sensitive events from the index, develop configs to sanitize the sensitive data (see http://docs.splunk.com/Documentation/Splunk/6.2.9/Data/Anonymizedatausingconfigurationfiles), and then re-index the data so that it will be sanitized at index time.

If your use case requires some users seeing sensitive data, and some not, I would suggest using data cloning to send the data to two separate indexes, and give them different sourcetypes, where one sourcetype has the SED and the other does not. Then, you can assign the corresponding indexes to each of your roles.

Reply

Masa
Splunk Employee
Splunk Employee
‎08-10-2016 10:24 AM

http://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Search_filter_format

0 Karma
Reply

somesoni2
Revered Legend
‎08-03-2016 07:07 AM

Only base search terms are allowed for that attribute, whereas rex is a command.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...