READ THIS: Downstream impact of field filters

Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

Before you begin, see Plan for field filters in your organization for important considerations about planning for field filters.

As the first operation in the search-time operation sequence, field filters are processed before other operations that come later in the sequence. As a result, any operations performed after field filters in the sequence that depend on certain field values might break when expected field values are filtered with field filters. For example, you might need to configure field filters using hash functions that preserve the statistical uniqueness of field values for later operations, or reevaluate search operations that are used together with field filters. See The sequence of search-time operations in the Knowledge Manager Manual.

Downstream impact on DMA

If your organization uses the Splunk Common Information Model (CIM) and field filters on the Splunk platform to protect sensitive fields, you must understand the following downstream impact of field filters on data model acceleration (DMA).

  • As the first operation in the search-time operation sequence, field filters protect confidential information in indexes that data model summary generation searches pull from. As a result of this protection, DMA searches using fields calculated based on sensitive data might produce different results than searches without field filters.

  • If certain highly privileged roles need access to protected data during data model summary generation, you can exempt roles from field filters. Use caution when exempting roles from field filters because of the risk that users with access to the data model summary have increased visibility into sensitive data through the summary.

For more information about using field filters with DMA, see Use field filters in searches on accelerated data models.

For more information about the CIM, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.

Downstream impact on automatic key-value field extraction

Since field filters are applied before automatic KV field extraction in the sequence of search-time operations, the KV field extraction might change a single-value field into a multi-value field if the indexed and _raw fields have different field filter replacement values.

For example, suppose your customer is assigned a ticket number, and the indexed ticket field contains a single value. If you apply indexed and _raw field filters to the ticket field, but each field filter replaces the field with a different value, the different field values from the indexed and _raw fields will be merged into a multi-value field when automatic key-value field extraction is configured to extract multiple values through KV_MODEand other settings. Now your searches on the indexed ticket field will fail unless you update your searches to expect a multi-value field instead of a single-value field. See Configure automatic key-value field extraction.

Next step

Next, plan for how restricted commands are impacted and consider workaround solutions. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.