Use field filters in searches on accelerated data models
Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.
Limitations using field filters with tstats and data model acceleration
Field filters prevent searches with the tstats command from running on accelerated data models because tstats is a restricted command and can return sensitive data that a role with field filters might not be allowed to access. To allow certain highly trusted roles to use tstats with accelerated data models when field filters are in use, you must configure the role to have one of the following capabilities:
- The run_commands_ignoring_field_filter capability. Users with this capability can run commands that return index information even when their role is not exempt from a field filter.
- The admin_all_objects capability. This capability is very powerful. Users with this capability have access to all objects in the system. Use this capability with caution and only with the most trusted roles in your organization.
Roles that are not exempt from a field filter and are configured with one of these capabilities can use the tstats command with data acceleration as usual, but without field filters.
See Accelerate data modelsAccelerate data models in the Knowledge Manager Manual.