Turning on Splunk platform role-based field filtering

Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

By default, role-based field filtering is turned off. Before you can use role-based field filters to protect sensitive data in your organization, you must turn on role-based field filtering.

Splunk Cloud Platform

To turn on role-based field filtering in your environment, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.

Splunk Enterprise

To turn on role-based field filtering in your environment, follow these steps.

Prerequisites
  • Have the permissions to edit configuration files. Only users with file system access, such as system administrators, can edit configuration files.
  • Know how to edit configuration files. Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
  • Decide which directory to store configuration file changes in. There can be configuration files with the same name in your default, local, and app directories. See Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.

CAUTION: Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps

  1. Open or create a local limits.conf file at $SPLUNK_HOME/etc/system/local.
  2. In the [search] stanza, add the line role_based_field_filtering=true.
    To use field filtering in clustered environments, the limits.conf file that is pushed to all search heads and indexers must include role_based_field_filtering=true in the [search] stanza.
  3. Restart the Splunk platform, so the change to the limits.conf file takes effect.