Use field filters in searches on accelerated data models

Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone.

If your organization uses downstream configurations, such as accelerated data models, Splunk Enterprise Security (ES) detections using those data models, and user-level search-time field extractions, make sure that you plan around the implications of field filters on those configurations before deploying field filters in your environment. See READ THIS: Downstream impact of field filters.

If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, and tstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

Limitations using field filters with tstats and data model acceleration

Limitations using field filters and tstats with DMA

When field filters are enabled, searches that use the tstats command, including searches on accelerated data models, are blocked. This is because tstats is a restricted command and might expose sensitive data that some users are not permitted to access. If you want certain trusted roles to bypass field filter restrictions and access unfiltered fields using tstats, regardless of whether the data is from an accelerated data model, you must assign the following capability to those roles:

  • The run_commands_ignoring_field_filter capability. Users with this capability can run commands that return index information even when their role is not exempt from a field filter.

Roles that are configured with this capability can use the tstats command with data acceleration as usual, but without field filters.

See Accelerate data models in the Knowledge Manager Manual.