Turn off Splunk platform field filters
READ THIS FIRST: Should you deploy field filters in your organization?
Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone.
If your organization uses downstream configurations, such as accelerated data models, Splunk Enterprise Security (ES) detections using those data models, and user-level search-time field extractions, make sure that you plan around the implications of field filters on those configurations before deploying field filters in your environment. See READ THIS: Downstream impact of field filters.
If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview and mstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.
How to turn off Splunk platform field filters
Field filters are available for use in the Splunk platform by default. However, if you want to deactivate all of your organization's field filters at one time, you have the option to turn off field filters. When you turn off field filters, the Splunk platform doesn't apply existing field filters to searches and ignores configuration information, such as role exemptions, target indexes, and limits on target hosts, sources, and source types. In addition, personal identifiable information (PII) and protected health information (PHI) data might be visible in searches when you turn off field filters.
You can turn field filters back on whenever you need to protect sensitive fields again across your organization.
Splunk Cloud Platform
To turn off field filters in your environment, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
If you no longer want to use field filters to protect sensitive data in your organization, you must turn off field filters in the following .conf files on all search heads and indexers:
- limits.conf
- web-features.conf
Turning off field filters in both files means you will no longer be able to use Splunk Web or Splunk platform REST API endpoints to create and manage field filters.
To turn off field filters in your environment, follow these steps.
- Have the permissions to edit configuration files. Only users with file system access, such as system administrators, can edit configuration files.
- Know how to edit configuration files. Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
- Decide which directory to store configuration file changes in. There can be configuration files with the same name in your default, local, and app directories. See Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.
Steps
- Open the local limits.conf file at $SPLUNK_HOME/etc/system/local.
- In the
[search]stanza, setfield_filters=false. - Open the local web-features.conf file at $SPLUNK_HOME/etc/system/local.
- In the
[feature:field_filters]stanza, setenable_field_filters_ui=false. - Restart Splunk Enterprise, so the change to the configuration files take effect.
- If you're using field filters in a distributed search deployment, you must set
field_filters=falsein the limits.conf file andenable_field_filters_ui=falsein the web-features.conf file on all search heads and indexers.
To turn field filters back on, change the field_filters and enable_field_filters_ui settings to true.