Create, manage, and test your field filters
Before you begin, see Plan for field filters in your organization for important considerations about planning for field filters.
READ THIS FIRST: Should you deploy field filters in your organization?
Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone.
If your organization uses downstream configurations, such as accelerated data models, Splunk Enterprise Security (ES) detections using those data models, and user-level search-time field extractions, make sure that you plan around the implications of field filters on those configurations before deploying field filters in your environment. See READ THIS: Downstream impact of field filters.
If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview and mstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.
Create and manage your field filters
How will you create and manage your field filters? Using Splunk Web is the easiest and most efficient way to configure field filters. But, depending on your organization's needs, you might decide to use Splunk platform REST API or, if you are using Splunk Enterprise, you might be more comfortable using configuration files.
You can create and manage field filters using one of the following methods:
- Use Splunk Web. See the following in this manual:
- If you're using Splunk Enterprise, update settings in the field_filters.conf file. See the following in this manual:
- Use the Splunk platform REST API authorization/fieldfilters/{name} endpoint. You can also use the authorization/roles/{name} endpoint to exempt certain roles from field filters. See the following in the REST API Reference Manual:
Develop a test plan before you deploy field filters in production
Before you deploy field filters in production, be sure to test them thoroughly. Use field filters in a test environment before rolling them out to your organization to verify that they work the way you intend in various scenarios that are typical for your organization. To prevent surprises later, you should also test any special use cases that might fail when field filters prevent certain privileged information from being discoverable. For example, reports, which are also referred to as "saved searches," might not work anymore once field filters are deployed.
Next step
Next, plan your indexes, hosts, sources, and source types.