I have a requirement to mask the value of a field after 30 days.
The events are json events. The users need to be able to see/search all the fields except 1 for up to a year. The 1 field must be hidden from view after 30 days.
My plan was to define a calculated field that, when _time is more than 30 days ago overwrites the value of the field with one I supply. The calculation would be performed for every search. What I failed to consider was 2 things:
First, The field to be overwritten is a json field. The fieldname is foo{}.id If I use
`|eval foo{}.id = if ((_time < (now() - (86400*30))), "TOO OLD", foo{}.id)`, I get an error that the eval is malformed. If I add quotes around the field names like this: `|eval "foo{}.id" = if ((_time < (now() - (86400*30))), "TOO OLD", "foo{}.id")`, I get a new field called foo.id which = TOO OLD, but I still have the original foo{}.id with the original value.
Second, Even if I can get the calculated field to behave properly, the original value is still in the _raw field which is easily visible in the events view or by adding _raw to a table.
So, is it possible to overwrite a single field at search time such that every search will return the overwritten value?
Also, can I somehow remove the _raw field for every search, and if so, are there any weird consequences from doing that?
↧