Splunk Search

How do I read all searches with a specific action in savedsearches.conf?

GauriSplunk
Path Finder

I have created an alert with user name password fields such that the alert in savedsearches.conf has
action.creds_transfer.param.username= aaa
action.creds_transfer.param.password = test

where creds_transfer is an alert action

I need to read all searches with this action and encrypt the password since it is in clear text.
How can i do that?
Thanks

0 Karma

DavidHourani
Super Champion

Hello Gauri,

Using the rot13-encoding is reversible especially since you are doing it via rex so anyone that can see what the search is will know what is replaced by what and decode it. I advise you to have a look at :

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Cryptographic_...

Using hash functions such as :

... | eval n=md5(field)

Or

.. | eval n=sha512(field)

Is safer and not reversible.

Regards,
David

0 Karma

woodcock
Esteemed Legend

This uses rot13-encoding to obscure:

|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "grfg"
0 Karma

GauriSplunk
Path Finder

Thanks for your response.
couple of questions
Does saved/searches command also read searches from local/savedsearches.conf?
Where do i add this command? How can i call this from a python script?.
Can i run it using curl?

This is how my alert looks in local/savedsearches.conf. I dont want the password here to be cleartext.

[test-alert]
action.creds_transfer = 1
action.creds_transfer.param.password = coolio
action.creds_transfer.param.username = test
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 0 1 * * *
description = test Alert
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = equal to
run_on_startup = 1
search = *

0 Karma

woodcock
Esteemed Legend

It doesn't work that way.

0 Karma

GauriSplunk
Path Finder

ok. i tried with
|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa"
and it didnt give error but also i did not get any results.
When i do |rest /servicesNS/-/-/saved/searches , I see the results and the value for action.creds_transfer.param.username.
but when i put where clause i do not see any results.
I also tried with other values instead of username and for those too i did not get any results.

is the syntax correct?
Thanks
-Gauri

0 Karma

woodcock
Esteemed Legend

You have to rot13-encode coolio so use pbbyvb:

http://www.rot13.com

I assumed the whole purpose was to obfuscate plain-text passwords in your search and search results, which this approach does.

0 Karma

GauriSplunk
Path Finder

i ran this on splunk search
|rest /servicesNS/admin/infoblox/saved/searches action.creds_transfer.param.username = "test" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "coolio"
it gives me this error:
Error in 'rest' command: Invalid argument: 'action.creds_transfer.param.username'

0 Karma

woodcock
Esteemed Legend

I had a mistake, please try again with updated answer text.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...