I would like to have an option to encrypt/hash certain fields of a specific sourcetype in an index. I would prefer to not use an encrypted fileystem at this time, since this is not a supported option internally. I have a requirement to have specific fields encrypted when stored on disk or in a DB.
I understand that I can mask values at index or search time, but neither of these options meets my requirements. Any suggestions? Is this option a planned enhancement?
You may want to download this add-on. It provides a pre-processor to encrypt a file's data based on your regex before it is indexed and a decrypt command to decrypt the field at search time provided you also give it the same unique key you used with the encryption. It uses DES.
http://splunkbase.splunk.com/apps/All/4.x/app:Encrypt+and+Decrypt+data+within+Events
There isn't a native mechanism for that, at least as of 4.1.
Your best approaches are to either use a scripted input to read the data, or to have an external script pre-process the log files before moving them into a directory monitored by Splunk.
You might also want to submit an enhancement request:
http://answers.splunk.com/questions/4844/how-can-i-submit-an-enhancement-request