Support for walklex and typeahead in searches on indexes with field filters
Splunk platform supports searches that use search commands, as well as searches that use the walklex and typeahead commands on indexes protected by field filters. However, the behavior of walklex and typeahead differs from other search commands in important ways because of the way these generating commands access data.
Field filter limits have no effect on typeahead and walklex searches
When your users run searches that include the typeahead or walklex commands on fields that are protected by field filters, limits that restrict field filters to specific hosts, sources, and source types have no effect. As a result, searches that include these commands apply to all hosts, sources, and source types, even if a limit has been set for the field filter.
Delete is always the field filter replacement method in searches that use typeahead
Regardless of the replacement method that is configured for a field filter, searches with the typeahead command always use delete as the replacement method when field filters are applied to searches. Removing indexed fields with their values from search results ensures that any matching field-value pairs are strictly removed from the results instead of being hashed or replaced, which provides the highest form of protection for sensitive data.
typeahead searches that are restricted by field filters, field names could still be visible in search results. For example, say you have a search like this:
| typeahead count=10 index=_audit prefix=hostWhen you run that search without a field filter, the search results include a field called host and field-value pairs such as host="CSCO-W-PMV3". But, when you add a field filter to the index and run the same search, host="CSCO-W-PMV3" is no longer included in the search results, but the host field and its count is.
Supported delimiters for indexed terms in searches with typeahead and walklex
You can use field filters on indexed fields with the typeahead command to filter content field results, and with the walklex command to filter term field results. These commands filter content and term field results in the format <field>=<value>, or <field>::<value>.
Field filters for _raw fields aren't applied in searches with walklex and typeahead
The walklex and typeahead commands aren't able to access _raw fields because they operate on merged lexicon (merged_lexicon.lex) or tsidx files files instead of raw event data. As a result, field filters applied to _raw fields don't have any effect on the results of searches that use the walklex and typeahead commands.
Field filter limit type restrictions don't apply to searches with walklex and typeahead
Performance optimization for field filters that is based on limit types relies on fields such as source type, source, and host. Since search results that include walklex and typeahead might not include these fields, Splunk software doesn't apply limit type restrictions configured on field filters in searches with these two commands. This means that even if you only set a limit on a field filter for a host called vendor_sales, results from other hosts might also be filtered in searches with the walklex or typeahead command.
Indexed fields are treated differently
In order to fully protect sensitive data, indexed field filters in searches with walklex and typeahead are applied to all related field-value pairs instead of index-time fields like searches with other commands.
|typeahead index=_audit prefix=action count=10| content | count | operator |
|---|---|---|
| action | 176142 | false |
| "action.integration_url_override\\" | 2 | false |
| action.to/ | 2 | false |
| action.url/ | 2 | false |
| action/ | 2 | false |
| "action==" | 2 | false |
| "action=accelerate_search" | 2683 | false |
| "action=add" | 17318 | false |
| "action=alert_" | 214 | false |
| "action=artifact_deleted" | 7286 | false |
Now, let's see what happens to the search results if we add a field filter that replaces the action field and its value in the _audit index with the string masked. The same search generates the following results without any sensitive information:
| content | count | operator |
|---|---|---|
| action | 175366 | false |
| "action.integration_url_override\\" | 2 | false |
| action.to/ | 2 | false |
| action.url/ | 2 | false |
| action/ | 2 | false |
walklex command. Say you run the following search:
|walklex index=_audit type=all prefix=action
|table term| term |
|---|
| action |
| action=accelerate_search |
| action=alert_ |
| action=artifact_deleted |
| action=change_authentication |
| action=create_token |
| action=dmc_manage_topology |
| action=edit_auto_ui_updates |
| action=edit_data_management_otelcollector |
Now, let's apply the field filter that replaces the action field and its value in the _audit index with the string masked. The same search masks the key-value pairs, as shown in the following results:
| term |
|---|
| action |
| action=masked |
| action=masked |
| action=masked |
| action=masked |
| action=masked |
| action=masked |
| action=masked |