Referring to instruction of anonymization in page bellow:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles
During indexing, instead of replacing a field value with literals, I would like to apply a function on it (for example encrypt it)
[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw
For example instead of replacing SessionId=3A1785URH117BEA
with SessionId=########
, I would like to replace it with a runtime value result of applying a function (like encryption function ).
This way I'll have a mechanism to get the original values if needed.
Has anybody come up with a solution for that.
Thanks
There is a hot new product called Cribl that is a swiss-army-knife to backfill all of the things that splunk should do but doesn't/can't. I passed this on to them and they should comment (@clintsharp, @dritan).
Hi Gregg,
thanks for the hint, it seems this tool could solve my problem described at 771002.
I will take a look at this tool.
Splunk 6.6 introduced cryptographic functions md5() sha1() etc.
You can encrypt fields at index time using these functions along with INGEST_EVAL.
You can also use calculated fields in props.conf to encrypt fields at search time. But one can easily view the source of the log data to see unencrypted values if done at search time.
See: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/CryptographicFunctions
This way you can generate hashes. But it isn´t possible to revert this to get the original value. There is no password or certificate based encryption implemented in Splunk yet. As far as I know.
I am also searching for something similar. My requirement is I should be able to decrypt fields or rex pattern by supplying "KEY" on the search box . I did some search and found the best way to do is to write custom search command and feed the search result to this search command by eval function. The underlining decryption may be written in python sdk using mapper.
Please let me know
You are going to have to do this with a pre-parser (outside of Splunk); it is pretty easy.
You mean: log.txt -> postprocessed to -> log_processed.txt -> indexing only log_processed.txt files ?
Well, it works when batch processing files. But in case of real time monitoring files or TCP/UDP it is ideal to leave encryption to Splunk.
How do you do this in Splunk? I can't find any encryption function.
Yes, exactly.