A Quick Guide to Hiding Certain Splunk Fields

Scenario

Alerts must be sent to the monitoring teams, but fields with sensitive information cannot be included. In a recent customer engagement, a Splunk search was used to monitor an issue. This search included fields that were useful for investigation, but the sensitive information was not permitted in an email and could not be shared with the entire first-level monitoring team.

Solution

The recipient groups for e-mail alerts are, in many cases, L1 support groups or other monitoring groups from whom sensitive data should be masked.

The alert requirement needed results from the query output so that admins could view all the relevant data required to clear the alert condition. In this scenario, we needed a way to hide the sensitive data fields in the alert email. At the same time, it should be visible in the search query output.

Fields in Splunk can be classified as internal and external. Internal fields are indicated by a leading underscore in the field names. Splunk only sends non-internal fields when sending email alerts.

The solution was to rename the fields with sensitive information to have a leading underscore. This way, they won’t be displayed in the alert action email but are still accessible in the Splunk query by a user with the appropriate permissions.

Example Code

Here is an example Splunk query that contains sensitive fields.

index=sensitive_data

| eval errormessage=”There is an issue with the user: “ + username +  “ on host: “ + hostname + “ due to reason “ + reasoncode

| table errormessage username host ssn homeaddress salary creditcardnumber bankaccount healthconditions

The revised query that masks the fields looks like the following:

index=scary_sensitive_data_index scary_condition=true

| eval errormessage=”There is an issue with the user: “ + username +  “ on host: “ + hostname + “ due to reason “ + reasoncode

| table errormessage username host ssn homeaddress salary creditcardnumber bankaccount healthconditions

| rename ssn AS _ssn, homeaddress AS _homeaddress, salary AS _salary, creditcardnumber AS _creditcardnumber, bankaccount AS _bankaccount, healthconditions AS _healthconditions

The email alert will only contain the error message, username, and host fields, while the drill-down back to Splunk will only display data if the user has access to the “scary_sensitive_data” index in the assigned roles.