Splunk Search

How do I read all searches with a specific action in savedsearches.conf?

Path Finder

I have created an alert with user name password fields such that the alert in savedsearches.conf has
action.creds_transfer.param.username= aaa
action.creds_transfer.param.password = test

where creds_transfer is an alert action

I need to read all searches with this action and encrypt the password since it is in clear text.
How can i do that?
Thanks

0 Karma

Super Champion

Hello Gauri,

Using the rot13-encoding is reversible especially since you are doing it via rex so anyone that can see what the search is will know what is replaced by what and decode it. I advise you to have a look at :

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Cryptographic_...

Using hash functions such as :

... | eval n=md5(field)

Or

.. | eval n=sha512(field)

Is safer and not reversible.

Regards,
David

0 Karma

Esteemed Legend

This uses rot13-encoding to obscure:

|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "grfg"
0 Karma

Path Finder

Thanks for your response.
couple of questions
Does saved/searches command also read searches from local/savedsearches.conf?
Where do i add this command? How can i call this from a python script?.
Can i run it using curl?

This is how my alert looks in local/savedsearches.conf. I dont want the password here to be cleartext.

[test-alert]
action.creds_transfer = 1
action.creds_transfer.param.password = coolio
action.creds_transfer.param.username = test
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 0 1 * * *
description = test Alert
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = equal to
run_on_startup = 1
search = *

0 Karma

Esteemed Legend

It doesn't work that way.

0 Karma

Path Finder

ok. i tried with
|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa"
and it didnt give error but also i did not get any results.
When i do |rest /servicesNS/-/-/saved/searches , I see the results and the value for action.creds_transfer.param.username.
but when i put where clause i do not see any results.
I also tried with other values instead of username and for those too i did not get any results.

is the syntax correct?
Thanks
-Gauri

0 Karma

Esteemed Legend

You have to rot13-encode coolio so use pbbyvb:

http://www.rot13.com

I assumed the whole purpose was to obfuscate plain-text passwords in your search and search results, which this approach does.

0 Karma

Path Finder

i ran this on splunk search
|rest /servicesNS/admin/infoblox/saved/searches action.creds_transfer.param.username = "test" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "coolio"
it gives me this error:
Error in 'rest' command: Invalid argument: 'action.creds_transfer.param.username'

0 Karma

Esteemed Legend

I had a mistake, please try again with updated answer text.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!