Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Protecting PII and PHI data with role-based field filtering

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

To protect your personal identifiable information (PII) and protected health information (PHI) data, and meet data privacy requirements, such as General Data Protection Regulation (GDPR) or other privacy regulations, you can use role-based field filtering in the Splunk platform to control which users can see your sensitive data. Role-based field filtering lets you limit access to confidential information for certain roles by redacting or obfuscating fields in events within searches.

Field filters retain the event, but remove specific indexed or default fields from search results, or replace specific indexed or default field values at search time when those fields appear in the results. You can redact a specific field using a null value, which removes the field from the results of the search. Alternatively, you can redact the value of a specific field by replacing it with a custom string such as XXXX, or you can obfuscate the field value by replacing it with a hash using SHA-256 or SHA-512 (SHA-2 family) hash functions.

With role-based field filtering, you decide which sensitive information to protect and how, and which users have access to the data. One or more field filters can be applied to a specific role, which then affect the results of searches run by users assigned with that role. Privileged users who have authority to access the sensitive data can still see it, provided the roles they hold are not configured with role-based field filtering. For more information on roles and capabilities, see Create and manage roles with Splunk Web.

Field filters protect sensitive data from appearing in search results, but do not affect raw data or indexes, since that data is immutable. See Immutability of indexed data in Splunk Enterprise Managing Indexers and Clusters of Indexers.

You can't configure role-based field filtering using Splunk Web.

Using role-based field filtering

There are many different ways you can use role-based field filtering in your organization. For example, say a role called staff includes a person on your support team named Ali who isn't allowed to see confidential information. If you don't want Ali to see any information about a field called account, you could add a field filter to the staff role that sets the account field to a null value and removes it from the search results.

Or maybe you want to replace the value of the account field with a custom string such as UNKNOWN ACCOUNT, so Ali can see the field name but not the true value. If you also don't want Ali's searches to display the name of the network device that is generating the events, you can configure another field filter to replace the host name with a hash value. Then, the value of the host field in Ali's searches displays as a long number instead of the actual host name, which helps protect your systems even more.

Tasks for configuring role-based field filtering

The following table describes common tasks for configuring role-based field filtering.

Task Description For more information
Plan how role-based field filtering will be deployed in your organization. Before you start setting up your role-based field filters, consider which fields will be filtered and how, which roles will be restricted, the impact of field filtering on searches, and so on. See Planning for role-based field filtering in your organization.
Turn on role-based field filtering. You must turn on role-based field filtering before you can use it in your organization to filter fields containing confidential data. See Turning on Splunk platform role-based field filtering.
Set role-based field filters to protect sensitive data. Add a field filter to a role that removes a field using a null value, or replaces the field value with a custom string such as XXXX or a hash using SHA-256 or SHA-512 (SHA-2 family) hash functions. Adding a field filter is required to set up role-based field filtering. See Setting role-based field filters with the Splunk platform.
Limit role-based field filters to specific hosts, sources, indexes, and source types. Specify the field filter limit that will be used to filter events for a role. This is not required to set up role-based field filtering, but limiting field filters to specific hosts, sources, indexes or source types can significantly improve search performance. See Limiting role-based field filters to specific hosts, sources, indexes, and source types.
Turn off role-based field filtering. Turn off role-based field filtering if your organization no longer needs to filter fields containing confidential data such as PII and PHI, and has made sure that unauthorized users won't have access to information that they shouldn't see. See Turning off Splunk platform role-based field filtering.

See also

About configuring role-based user access in this manual.
The sequence of search-time operations ​in the Splunk Cloud Platform Knowledge Manager Manual.
authorization/roles/{name} in the Splunk Cloud Platform REST API Reference Manual.
Last modified on 10 April, 2024
Secure Splunk Enterprise services with pass4SymmKey   Planning for role-based field filtering in your organization

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters