Even if a field filter is set to redact or hide the user field, a search like the following search can still return sensitive information about the user bill.smith:

index=human_resource_idx TERM(user::bill.smith)

This is because the TERM() directive is a term filter that searches an indexed field user=bill.smith, a field name user, or a field value bill.smith. When the field filter is applied, the filtered field called user and its values are redacted when returned in the search results. However, the redacted search results might still reveal other sensitive information due to the presence of the TERM() directive in the search.

To protect the sensitive data about a particular user, for example, bill.smith, you can create a search filter using the Search filter SPL generator in Splunk Web. See Specify search restrictions for a role in the Securing Splunk Enterprise Manual. If you're using Splunk Enterprise, you can configure this setting in the authorize.conf file:

[hr_role]
srchFilter = NOT (TERM(user::bill.smith) OR TERM(bill.smith))
srchIndexesAllowed = human_resource_idx