READ THIS: Restricted commands do not work in searches on indexes that have field filters
Before you begin, see Plan for field filters in your organization for important considerations about planning for field filters.
When you deploy field filters in your organization, the following commands will no longer work in searches across indexes that have field filters:
The Splunk platform deactivates these commands by default on indexes that have field filters, and does not allow any users to run these commands, because they can return sensitive index information to which users restricted by field filters might not be allowed to access. Without the safeguard around restricted commands, your organization might be exposed to a potential security risk if someone with malicious intentions tries to use these commands to get around field filters.
Restricted commands workaround
If you want certain highly trusted users to be able to use these restricted commands when field filters are in use, take one of the following actions when you create a field filter:
-
Exempt the user's role from the field filter, which will allows the role to circumvent the field filter and use restricted commands across searches on specified indexes that have field filters. See Exempt certain roles from field filters using Splunk Web.
-
Assign the run_commands_ignoring_field_filter capability to the user's role, which will allow the role to use restricted commands in searches by circumventing all field filters on all indexes. Users with the run_commands_ignoring_field_filter capability can run restricted commands that return index information even when their role is affected by a field filter. To add capabilities to a role, see Define roles on the Splunk platform with capabilities.
Next step
Next, plan performance optimizations for your field filters. See Optimize performance.