Filtered and original field values in summary indexes

Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

If you’re using field filters to protect sensitive fields in DMA searches, it’s important to note that the original, unfiltered values of any sensitive fields summarized before field filters were processed might still exist in the data model summary index, and corresponding tsidx files, even after field filters replace those values in search results.

To remove these unfiltered values, you can either wait for Splunk software to automatically rebuild the summary index for the accelerated data model according to the configured schedule, or manually trigger a rebuild of the summary index. Note that manually rebuilding the summary index can be resource-intensive and might affect the performance of other running processes. For instructions about rebuilding an accelerated data model summary index, see Manage data model acceleration.

See also

Protect PII, PHI, and other sensitive data with field filters

Plan for field filters in your organization

Create field filters using Splunk Web

Use field filters in searches