- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How to use srchFilter to anonymize data based on r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haros my friends!
I would like to anonymize sensitive data at search-time but, only for certain roles and without having to resort to index-time data anonymize via props/transforms. Is this possible? I tried using srchFilter in the roles via the GUI, but Splunk complains about unbalanced quotes if I use any type of commands after a pipe.
Por Favor, ayudenme!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can. The reason you see a message about unbalanced quotes has to do with how splunk adds the search terms to the base of the search and apparently, a | will cause the search to fail at runtime. There is a dirty workaround for this. And it involves bypassing the GUI and adding two closing quotes before your search and two after your search. Like this:
Authorize.conf
[yourAwesomeRole]
srchFilter = )) | rex "(?<testfield>\d)" ((
By adding the double parentheses before and afterwards, you can now use search commands that require a pipe, such as the rex command with mode=sed which should allow you to anonymize at search time.
CAUTION: If you use this method to anonymize data, please be aware that this can have a major performance impact on your search speed. The rex command with mode=sed can be very expensive, especially if traversing very large events. Use this with caution. This is NOT A SUPPORTED CONFIGURATION as of this moment.
The proper way to restrict sensitive data would be to clone your data to another index and anonymize data at index time on the cloned copy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can. The reason you see a message about unbalanced quotes has to do with how splunk adds the search terms to the base of the search and apparently, a | will cause the search to fail at runtime. There is a dirty workaround for this. And it involves bypassing the GUI and adding two closing quotes before your search and two after your search. Like this:
Authorize.conf
[yourAwesomeRole]
srchFilter = )) | rex "(?<testfield>\d)" ((
By adding the double parentheses before and afterwards, you can now use search commands that require a pipe, such as the rex command with mode=sed which should allow you to anonymize at search time.
CAUTION: If you use this method to anonymize data, please be aware that this can have a major performance impact on your search speed. The rex command with mode=sed can be very expensive, especially if traversing very large events. Use this with caution. This is NOT A SUPPORTED CONFIGURATION as of this moment.
The proper way to restrict sensitive data would be to clone your data to another index and anonymize data at index time on the cloned copy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks you @joetronic. This is just what I was looking for. You da man!!
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
