Filtered and original field values in summary indexes

If you’re using field filters to protect sensitive fields in DMA searches, it’s important to note that the original, unfiltered values of any sensitive fields summarized before field filters were processed might still exist in the data model summary index, and corresponding tsidx files, even after field filters replace those values in search results.

To remove these unfiltered values, you can either wait for Splunk software to automatically rebuild the summary index for the accelerated data model according to the configured schedule, or manually trigger a rebuild of the summary index. Note that manually rebuilding the summary index can be resource-intensive and might affect the performance of other running processes. For instructions about rebuilding an accelerated data model summary index, see Manage data model acceleration.