Splunk® Intelligence Management (Legacy)

User Guide

Use the redaction library to modify reports

Splunk Intelligence Management offers the ability to redact, or remove, information from a report. This redaction library is powered by a redaction algorithm that features:

  • Categorical redaction
  • Wildcard matching
  • Optimization for large datasets

For details on how to edit the Redaction Library, see Managing the Redaction Library.

How It Works

The redaction feature operates on two inputs:

  • A Splunk Intelligence Management report
  • A map of redaction descriptors known as the redaction library

When a report is submitted, Splunk Intelligence Management uses the redaction library to delete the terms you have specified for removal. The redaction algorithm programmatically strips the terms from every part of the report, including the metadata.

You can add or delete terms to redact whenever you want.

Splunk Intelligence Management incident report

Technically, an incident report is a map-like data structure that contains both metadata about the report and the report contents. For example, here is a simplified version of what an incident report looks like in Splunk Intelligence Management Station.

Map {
  metadata: Map {
    title: "Network Intrusion Detected",
    region: "North America"
  content: "Network intrusion was detected at our branch in..."

Redaction library

The redaction library stores all the terms you want to delete from new reports. A simple redaction library might look like this:

Map {
  company-name: List [
    "Superb Security Corp",
    "Superb Subsidiary"
  ip-address: List [
  email-address: List [

This sample Redaction Library defines a number of things to redact from reports:

  • Company name "Superb Security Corp" and the name of the subsidiary "Superb Subsidiar"
  • An IP address that should be kept private ("")
  • Every email address that ends in "@superb-security.co"
Last modified on 21 April, 2022
Use enclaves to organize your intelligence sources   Intelligence sources in Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters