Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use srchFilter to anonymize data based on role?

RicoSuave
Builder
‎10-02-2015 09:04 AM

Haros my friends!

I would like to anonymize sensitive data at search-time but, only for certain roles and without having to resort to index-time data anonymize via props/transforms. Is this possible? I tried using srchFilter in the roles via the GUI, but Splunk complains about unbalanced quotes if I use any type of commands after a pipe.

Por Favor, ayudenme!

Reply
1 Solution
Solved! Jump to solution
Solution

RicoSuave
Builder
‎10-02-2015 09:13 AM

Yes you can. The reason you see a message about unbalanced quotes has to do with how splunk adds the search terms to the base of the search and apparently, a | will cause the search to fail at runtime. There is a dirty workaround for this. And it involves bypassing the GUI and adding two closing quotes before your search and two after your search. Like this:

Authorize.conf
[yourAwesomeRole]
srchFilter = )) | rex "(?<testfield>\d)" ((

By adding the double parentheses before and afterwards, you can now use search commands that require a pipe, such as the rex command with mode=sed which should allow you to anonymize at search time.

CAUTION: If you use this method to anonymize data, please be aware that this can have a major performance impact on your search speed. The rex command with mode=sed can be very expensive, especially if traversing very large events. Use this with caution. This is NOT A SUPPORTED CONFIGURATION as of this moment.

The proper way to restrict sensitive data would be to clone your data to another index and anonymize data at index time on the cloned copy.

View solution in original post

Reply
Solved! Jump to solution
Solution

RicoSuave
Builder
‎10-02-2015 09:13 AM

Yes you can. The reason you see a message about unbalanced quotes has to do with how splunk adds the search terms to the base of the search and apparently, a | will cause the search to fail at runtime. There is a dirty workaround for this. And it involves bypassing the GUI and adding two closing quotes before your search and two after your search. Like this:

Authorize.conf
[yourAwesomeRole]
srchFilter = )) | rex "(?<testfield>\d)" ((

By adding the double parentheses before and afterwards, you can now use search commands that require a pipe, such as the rex command with mode=sed which should allow you to anonymize at search time.

CAUTION: If you use this method to anonymize data, please be aware that this can have a major performance impact on your search speed. The rex command with mode=sed can be very expensive, especially if traversing very large events. Use this with caution. This is NOT A SUPPORTED CONFIGURATION as of this moment.

The proper way to restrict sensitive data would be to clone your data to another index and anonymize data at index time on the cloned copy.

Reply
Solved! Jump to solution

splunkIT
Splunk Employee
Splunk Employee
‎10-02-2015 09:16 AM

Thanks you @joetronic. This is just what I was looking for. You da man!!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...