Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How to use srchFilter to anonymize data based on r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haros my friends!
I would like to anonymize sensitive data at search-time but, only for certain roles and without having to resort to index-time data anonymize via props/transforms. Is this possible? I tried using srchFilter in the roles via the GUI, but Splunk complains about unbalanced quotes if I use any type of commands after a pipe.
Por Favor, ayudenme!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can. The reason you see a message about unbalanced quotes has to do with how splunk adds the search terms to the base of the search and apparently, a | will cause the search to fail at runtime. There is a dirty workaround for this. And it involves bypassing the GUI and adding two closing quotes before your search and two after your search. Like this:
Authorize.conf
[yourAwesomeRole]
srchFilter = )) | rex "(?<testfield>\d)" ((
By adding the double parentheses before and afterwards, you can now use search commands that require a pipe, such as the rex command with mode=sed which should allow you to anonymize at search time.
CAUTION: If you use this method to anonymize data, please be aware that this can have a major performance impact on your search speed. The rex command with mode=sed can be very expensive, especially if traversing very large events. Use this with caution. This is NOT A SUPPORTED CONFIGURATION as of this moment.
The proper way to restrict sensitive data would be to clone your data to another index and anonymize data at index time on the cloned copy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can. The reason you see a message about unbalanced quotes has to do with how splunk adds the search terms to the base of the search and apparently, a | will cause the search to fail at runtime. There is a dirty workaround for this. And it involves bypassing the GUI and adding two closing quotes before your search and two after your search. Like this:
Authorize.conf
[yourAwesomeRole]
srchFilter = )) | rex "(?<testfield>\d)" ((
By adding the double parentheses before and afterwards, you can now use search commands that require a pipe, such as the rex command with mode=sed which should allow you to anonymize at search time.
CAUTION: If you use this method to anonymize data, please be aware that this can have a major performance impact on your search speed. The rex command with mode=sed can be very expensive, especially if traversing very large events. Use this with caution. This is NOT A SUPPORTED CONFIGURATION as of this moment.
The proper way to restrict sensitive data would be to clone your data to another index and anonymize data at index time on the cloned copy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks you @joetronic. This is just what I was looking for. You da man!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
