Splunk Search

Unwanted masking of user name

_smp_
Builder

Hello, new Splunk user here. I have some syslog events that have a field automatically extracted named "user". In the top values of this field, one of the usernames is masked as '*****'. But when I search for these events, the user name is clearly shown in the actual event data. It is also masked in the top 10. I have searched my config files for the string '*****' looking for some anonymize logic, but I can't find any. Can someone help me figure out where to look?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Keep in mind, there is no direct way to search for a literal asterisk. You'll need to work around this, for example with the regex command to filter search results with regular expressions.

0 Karma

_smp_
Builder

Thank you. Yes, that fooled me once but somesoni2 straightened me in one of his earlier replies.

0 Karma

dgrubb_splunk
Splunk Employee
Splunk Employee

Without further information you may have configured at search time for some data to be anonymize. This section of the Splunk Documentation speaks to it:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Anonymizedata

0 Karma

somesoni2
Revered Legend

When you say "when I search for these events, the user name is clearly shown in the actual event data.", what search you used? Can you try like this and see if they are actually masked.

your base search without user filter | regex user="\*\*\*\*\*"

If you see the masked values in raw data then the masking logic is implemented/configured on Indexers/Heavy forwarders.

0 Karma

_smp_
Builder

Haha, joke's on me. I was just clicking on the "**" user in the Top 10 Values, which adds the filter `user="**"` to the search string. When I escape the asterisks, I get zero results.

So I think that explains why I see other users in the search results - because I'm a newbie. But it's still not clear why a user with that name shows up in the Top 10 Values.

Thanks for the response.

0 Karma

somesoni2
Revered Legend

The top list is based on occurrence of the field, so it could very well be that you've more user values masked then any other single user.

0 Karma

_smp_
Builder

I'm not quite sure what means. When I search for 'regex user="*****"', I get no results, so to me that means the mask is not in the actual event data. So how do I figure out where Splunk is masking it for me? Or maybe I misunderstood your point.

0 Karma

somesoni2
Revered Legend

Can you try this as well, just to check if raw data has masking or not (check the number of asterisks)

your base search without user filter | where user="%*%"

UPDATED

your base search without user filter | where LIKE(user,"%*%")
0 Karma

_smp_
Builder

This search returns a list of events where the user value "*****" is in the top 10 values:

index=idx

This search returns nothing:

index=idx | where user="%*****%"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The percent signs suggest you're trying to do an SQL-style LIKE? If so, that'd work like this:

... | where LIKE(user, "%*%")
0 Karma

_smp_
Builder

Only because that's the string somesoni2 asked me to use. It seemed odd to me, but I'm a newbie. The value of user that I see in the top ten is a set of five asterisks.

0 Karma

somesoni2
Revered Legend

My bad, not sure where my mind was. Martin's syntax is what you should use.

0 Karma

_smp_
Builder

No problem, I appreciate your willingness to try and help. I realize this thread has gone beyond where it should, so I opened a support case yesterday. I'll post an update when I have one.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

One potential source would be a calculated field, check Settings -> Fields -> Calculated Fields for one overwriting user.

0 Karma

_smp_
Builder

Thanks or the reply. I did not find any.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...