Use field filters in searches on accelerated data models
Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.
Limitations using field filters with tstats and data model acceleration
When field filters are enabled, searches that use the tstats command, including searches on accelerated data models, are blocked. This is because tstats is a restricted command and might expose sensitive data that some users are not permitted to access. If you want certain trusted roles to bypass field filter restrictions and access unfiltered fields using tstats, regardless of whether the data is from an accelerated data model, you must assign one of the following capabilities to those roles:
- The run_commands_ignoring_field_filter capability. Users with this capability can run commands that return index information even when their role is not exempt from a field filter.
- The admin_all_objects capability. This capability is very powerful. Users with this capability have access to all objects in the system. Use this capability with caution and only with the most trusted roles in your organization.
Roles that are configured with one of these capabilities can use the tstats command with data acceleration as usual, but without field filters.
See Accelerate data modelsAccelerate data models in the Knowledge Manager Manual.