Haros my friends!
I would like to anonymize sensitive data at search-time but, only for certain roles and without having to resort to index-time data anonymize via props/transforms. Is this possible? I tried using srchFilter in the roles via the GUI, but Splunk complains about unbalanced quotes if I use any type of commands after a pipe.
Por Favor, ayudenme!
Yes you can. The reason you see a message about unbalanced quotes has to do with how splunk adds the search terms to the base of the search and apparently, a | will cause the search to fail at runtime. There is a dirty workaround for this. And it involves bypassing the GUI and adding two closing quotes before your search and two after your search. Like this:
Authorize.conf [yourAwesomeRole] srchFilter = )) | rex "(?<testfield>\d)" ((
By adding the double parentheses before and afterwards, you can now use search commands that require a pipe, such as the rex command with mode=sed which should allow you to anonymize at search time.
CAUTION: If you use this method to anonymize data, please be aware that this can have a major performance impact on your search speed. The rex command with mode=sed can be very expensive, especially if traversing very large events. Use this with caution. This is NOT A SUPPORTED CONFIGURATION as of this moment.
The proper way to restrict sensitive data would be to clone your data to another index and anonymize data at index time on the cloned copy.