Upgrades and migration

Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

Before you begin, see Plan for field filters in your organization for important considerations about planning for field filters.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone.

If your organization uses downstream configurations, such as accelerated data models, Splunk Enterprise Security (ES) detections using those data models, and user-level search-time field extractions, make sure that you plan around the implications of field filters on those configurations before deploying field filters in your environment. See READ THIS: Downstream impact of field filters.

If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview and mstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

Search heads and indexers

If you have a distributed Splunk Enterprise environment and plan to run field filters on a search head, the versions of the search head and indexers must be compatible. For example, to configure field filters on a search head running Splunk Enterprise version 9.4.0, the indexers must also run Splunk Enterprise version 9.4.0 or higher. Your plans for rolling out field filters might need to include upgrading your search heads and indexers, so that all of your versions are in sync.

Migrate existing sed expressions from the SEDCMD setting

If you use the SEDCMD setting to anonymize raw data at index time, you can now use field filters to remove the same type of sensitive data at search time instead. Just migrate the sed expression used with the SEDCMD setting by copying and pasting the sed expression into a new _raw field filter in Splunk Web. For information about the SEDCMD setting, see Anonymize data in Getting Data In.

Next step

Next, plan for limitations for using field filters. See Limitations on using field filters in your environment.