How field filters work in accelerated data models
Field filters can protect search-time fields that are defined in accelerated data models.
You can use field filters to control access to specific sensitive fields in search results, including fields extracted from indexed events and fields included in summaries in accelerated data models that speed up searches of those fields. When data model acceleration (DMA) is in use, field filters are applied in the summarization searches and generate protected summaries on the disk as long as the field filters don't exempt certain specific roles. Field filters redact or obfuscate the field values in search results, including results retrieved from accelerated data model summaries, without modifying the underlying raw data in the original .tsidx files that are used to generate the summary .tsidx files. As a result, unauthorized users can't view protected fields and their values, regardless of whether a search accesses raw events or accelerated data model summaries.
For example, say you create an accelerated data model on an index called privacy_logs that extracts the following indexed fields:
- action
- ip
- ssn
- user
The summarization search matches ssn=*73*. When the summarization search is run without the field filter, the value for the ssn field for the user Rebecca is 607-73-0445.
To protect the ssn field, you create a _raw field filter in Splunk Web called ssn_fieldfilter on the privacy_logs index with Regex value match set to ssn=([^ ]+) and Replacement set to ssn=Redacted, like this:
After the field filter is applied and the summary is rebuilt, the next time the summarization search runs, the ssn field value is redacted and only the string Redacted is displayed: