Splunk Search

Is it possible to mask the sensitive data from the configuration files during the search time?

splunkrocks2014
Communicator

I am able to use "SEDCMD" to mask the sensitive data during the index time, but is it possible to mask the sensitive data during the search time? Thanks.

Tags (1)
0 Karma

BBakkenes
Explorer

Yes this is possible.

You can make an calculated field with the name of the field you want to change. The Eval expression should look like this:

replace(fieldname, "text-to-replace", "replacement")

When trying to mask data you can use the same command but with regex:

replace(fieldname, "field=[^;]+", "field=XXXX")

Remember to set sharing to the correct level.

0 Karma

somesoni2
Revered Legend

Try using rex command with mode=sed option.

your base search 
| rex mode=sed "s/(sensitive_data_regex)/replacement_string/g"

Again, this won't change the underlying data, just the raw data that's displayed in table/event visualization. Any fields extracted from _raw before your rex command (e.g. saved field extractions or auto-field extraction) could still have those sensitive data.

0 Karma

splunkrocks2014
Communicator

Thanks somesoni2, but I wanted to make it work from the configuration files.

0 Karma

somesoni2
Revered Legend

You can try some stuff but that method has many loop holes. For example you can setup a calculated field to overwrite the _raw field with masked data. It will do the replacement of _raw values in cases where saved field extractions are called (searches running in Smart Mode OR Verbose mode), but it won't do anything if the search has in Fast Mode and user is just running the base search (not referenced _raw field explicitly).

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...