I have a situation where i dont need people to see the data in lookup file,so i want to encrypt it.Can splunk decrypt it and use the actual data in query result.
Where do you want to encrypt it, on the system running Splunk or in the Splunk environment itself?
The thing is, you could certainly encrypt/scramble the data within the lookup file and then have a custom lookup script that reads the file, unscrambles the data and returns it. However using that approach you would still have to provide the decryption key as something that's hardcoded within the dynamic lookup script, so a determined user could just look at the script, grab the key from there and decrypt the data him/herself. A better option in this case would be to use file permissions to make sure only the users that should be able to read these files have the permissions to do so.
If you're talking about doing this WITHIN Splunk, meaning Splunk receives and presents the contents of a lookup table in its encrypted form, you could certainly write your own custom search command that takes the fields returned from the lookup and a decryption key provided by you in the search command, and use that key to decrypt the data before finally returning it to you in its unencrypted form. Depending on your demands you could possibly even use eval
for implementing a very simple encryption/decryption algorithm, if your goal is just to make sure that the initial data isn't at least 100% plaintext. Note though that with this approach you would have to make sure that your query history in Splunk's internal logs isn't readable by the users that you want to protect the data from, as they could recover the key by checking your past queries.
This is definitely not something that's included with Splunk out of the box, you would have to implement this functionality yourself - but sure, it's doable.