encrypt/decrypt fields stored in index

Path Finder

I would like to have an option to encrypt/hash certain fields of a specific sourcetype in an index. I would prefer to not use an encrypted fileystem at this time, since this is not a supported option internally. I have a requirement to have specific fields encrypted when stored on disk or in a DB.

I understand that I can mask values at index or search time, but neither of these options meets my requirements. Any suggestions? Is this option a planned enhancement?

Tags (1)

Splunk Employee
Splunk Employee

You may want to download this add-on. It provides a pre-processor to encrypt a file's data based on your regex before it is indexed and a decrypt command to decrypt the field at search time provided you also give it the same unique key you used with the encryption. It uses DES.


There isn't a native mechanism for that, at least as of 4.1.

Your best approaches are to either use a scripted input to read the data, or to have an external script pre-process the log files before moving them into a directory monitored by Splunk.

You might also want to submit an enhancement request: