Routing root user events to a special index
You have a new Splunk Edge Processor installed and ready to be configured. You can now start creating pipelines, which will allow Splunk Edge Processor to process data. Your security team has asked you to filter any events relating to the “root” user in your Linux authentication data and send them to an index they’ve created for you called admin.
Solution
To meet this request, you need to create a pipeline to filter and route the data.
Applying masking, filtering, and transforming rules to your data can impact downstream processing and analytics that rely on specific fields - such as IP addresses or usernames - to provide insights and intelligence. For example, Splunk Enterprise Security relies on IP addresses and usernames as part of its risk-based alerting (RBA) functionality, meaning that masking either of those fields would limit the ability to detect risk within your security environment. Always check the potential impact of a pipeline before applying it.
- Log in to the Edge Processor.
- On the left side menu, click Pipelines.
- In the top right corner of the Pipelines page, click Create pipeline and select New pipeline. A pipeline menu appears on the right of the screen.
- On this menu on the Actions tab, click the edit icon next to Use data from $source.
- Select the correct source type for the data you want to process in this pipeline (example: linux_secure).
- Click the Apply button in the Splunk Edge Processor UI to save the data source.
- Click Filter values.
- On the Add filter page, define the following:
- Field: _raw
- Action: Keep
- Operator: .* match
- Value: root
- Deselect Match case to remove case sensitivity and click Apply. A
where
command is automatically added to your SPL2 statement and should look like this:
$pipeline =
| from $source
| where match(_raw, /root/i)
| into $destination; - To test your masking rule, click the blue Preview button in the top right corner of the screen. If your pipeline filter is correct you should see some sample events containing ‘root’.
- Back on the Actions tab, next to Append data to $destination click the edit button.
- Set the destination to the admin index, as requested by your security team. Click Apply to save the destination.
- Click Save pipeline in the top right corner of the screen. Give your pipeline a suitable name, such as linux_root_send_to_index_<yourName>.
- Click Save to save your pipeline.
- To try out the new pipeline, click Pipelines on the top left of the page.
- Locate the pipeline you just created, click the three dots next to your new pipeline, and select Apply/remove.
- Select the Splunk Edge Processor you created earlier and click Save. You will see a brief message stating that your changes are being saved.
It may take a few minutes before you see the effects of your pipeline in Splunk Cloud Platform.
- To check the status of your Splunk Edge Processor node as the pipeline is being applied, click the pipeline while on the pipelines page. A panel will open up on the right of the page, showing the status of the Splunk Edge Processor instance that this pipeline has been applied to.
- Click the arrow next to the instance name to view more information.
- After your pipeline has successfully applied the status of your instance should change to healthy. To verify that the instance is indeed healthy, click Edge Processors in the menu on the left of the screen and refresh your web browser until your Splunk Edge Processor displays as healthy.
- To check your data, log in to your Splunk Cloud Platform instance and open up the Search & Reporting app.
- Run the following search and verify that you now see events containing root in the admin index:
index=admin root
Next steps
These additional Splunk resources might help you understand and implement this use case:
- Splunk Docs: About the Edge Processor solution
- Splunk Blog: Introducing Edge Processor: Next gen data transformation