Dashboards & Visualizations

Splunk Field values are visible in URL. How can we hide them?

rakesh_498115
Motivator

Hi All,

I was using SPLUNK version 6.2.2 for deploying dashboards to our project internal security team. The data which we are gonna expose in Splunk is very critical and we don't want external users to have access to them via url. All the dashboards developed are converted to HTML, so when a dashboard loads, the field values used in the dashboard form are passed in the browser url and those are clearly visible to the users. I don't want to expose this field values to users, so how can we hide them?

Eg:

http://localhost:8080/en-GB/app/custom_app/Data_Report?form.field1=TotalPrice&form.field2=*&form.report_date_uk=09%2F02%2F2016&form.report_date=02%2F09%2F2016&earliest=0&latest=&form.field5=cost%20%28%C2%A3%29&form.field6=0

Here the values field1, report_date_uk, and report_date are used in the dashboard.

Can we hide them from being displayed in the URL and pass them in "Post" process i.e in a hidden way?

As we use the method="post/get" attribute in html forms, can we add them to Splunk dashboards/forms?

thanks
Rakesh.

1 Solution

masonmorales
Influencer

Not that I know of. You have a couple different options for your use case though:

  1. Embedded reports (hosted outside of Splunk)
  2. Create a new role, add a search filter inside the role, limit indexes, capabilities, etc. and restrict the role to one app with just the view you want them to have access to

View solution in original post

0 Karma

sfatnass
Contributor

Hi if you use html dashboard toi can try kv store element To hide params on url.

0 Karma

masonmorales
Influencer

Not that I know of. You have a couple different options for your use case though:

  1. Embedded reports (hosted outside of Splunk)
  2. Create a new role, add a search filter inside the role, limit indexes, capabilities, etc. and restrict the role to one app with just the view you want them to have access to
0 Karma

rakesh_498115
Motivator

Hi masonmorales,

thanks for your reply..

its not about roles etc. we have restricted the access with roles etc . we dont have the field values to be passed in visible mode to the end user. can we do something about this ?? this is raised against our application in pen testing....

thanks,
rakesh.

0 Karma

jplumsdaine22
Influencer

The pen testers should not be worried about this - there is no additional information in the URI (like session tokens etc) that is not in the requested resource. If you're really worried about it put a reverse proxy in front of splunk and rewrite the urls.

As @masonmorales said if you properly create your roles then the users cannot run any seraches they're not supposed to.

0 Karma

rakesh_498115
Motivator

Yes jplumsdaine22,

I agree to your point. its a concern raised by our pen testers to launch the product. I have raised a case to splunk support team and get to know they are gonna raise an Enchancement request for the same.

thanks,
Rakesh.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...