Hello, new Splunk user here. I have some syslog events that have a field automatically extracted named "user". In the top values of this field, one of the usernames is masked as '*****'
. But when I search for these events, the user name is clearly shown in the actual event data. It is also masked in the top 10. I have searched my config files for the string '*****'
looking for some anonymize logic, but I can't find any. Can someone help me figure out where to look?
Keep in mind, there is no direct way to search for a literal asterisk. You'll need to work around this, for example with the regex
command to filter search results with regular expressions.
Thank you. Yes, that fooled me once but somesoni2 straightened me in one of his earlier replies.
Without further information you may have configured at search time for some data to be anonymize. This section of the Splunk Documentation speaks to it:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Anonymizedata
When you say "when I search for these events, the user name is clearly shown in the actual event data.", what search you used? Can you try like this and see if they are actually masked.
your base search without user filter | regex user="\*\*\*\*\*"
If you see the masked values in raw data then the masking logic is implemented/configured on Indexers/Heavy forwarders.
Haha, joke's on me. I was just clicking on the "**" user in the Top 10 Values, which adds the filter `user="**"` to the search string. When I escape the asterisks, I get zero results.
So I think that explains why I see other users in the search results - because I'm a newbie. But it's still not clear why a user with that name shows up in the Top 10 Values.
Thanks for the response.
The top list is based on occurrence of the field, so it could very well be that you've more user values masked then any other single user.
I'm not quite sure what means. When I search for 'regex user="*****"', I get no results, so to me that means the mask is not in the actual event data. So how do I figure out where Splunk is masking it for me? Or maybe I misunderstood your point.
Can you try this as well, just to check if raw data has masking or not (check the number of asterisks)
your base search without user filter | where user="%*%"
UPDATED
your base search without user filter | where LIKE(user,"%*%")
This search returns a list of events where the user value "*****"
is in the top 10 values:
index=idx
This search returns nothing:
index=idx | where user="%*****%"
The percent signs suggest you're trying to do an SQL-style LIKE? If so, that'd work like this:
... | where LIKE(user, "%*%")
Only because that's the string somesoni2 asked me to use. It seemed odd to me, but I'm a newbie. The value of user that I see in the top ten is a set of five asterisks.
My bad, not sure where my mind was. Martin's syntax is what you should use.
No problem, I appreciate your willingness to try and help. I realize this thread has gone beyond where it should, so I opened a support case yesterday. I'll post an update when I have one.
One potential source would be a calculated field, check Settings -> Fields -> Calculated Fields for one overwriting user
.
Thanks or the reply. I did not find any.