Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Limiting role-based field filters to specific hosts, sources, indexes, and source types

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

By default, a field filter configuration for a role filters all events on the Splunk platform from all available hosts, sources, indexes, and source types, which can impact performance on unrelated search results.

Restrict field filters to specific hosts, sources, or source types

For more efficient searches and better performance, use the field limit setting to restrict the field filters for a role to a specific host, source, or source type. For example, your searches will be faster if you set the field filter limit to filter events from host::hostname1. Instead of filtering all events, only those events from host::hostname1 are filtered.

Keep the following considerations in mind when you plan to limit your field filter on a role to a particular host, source, or source type:

  • You can specify only one value for a field filter limit setting per role.
  • Each field filter limit setting is paired with one or more field filter assignments that are configured on a specific role. See Setting role-based field filters with the Splunk platform.
  • When a field filter limit setting is associated with a role, it applies to all field filter assignments that are also associated with that role.
  • The field filter limit setting does not support statements that include wildcards or the following operators: AND, OR.

Restrict field filters to specific indexes

You can also optimize performance by including or excluding searchable indexes on a role that is configured with field filtering. For planning information about restricting role-based field filtering to specific indexes, see Planning for role-based field filtering in your organization. To specify searchable indexes for a role, see Create and manage roles with Splunk Web.

Configure role-based field filter limits for hosts, sources, and source types

To configure a field filter limit on a role for specific hosts, sources, and source types, you can update the settings in a role using one of the following methods:

  • Update the authorize.conf file by adding fieldFilterLimit = [sourcetype::<sourcetype>|host::<host>|source::<source>] to the role.
  • Use the Splunk platform REST API authorization/roles/{name} endpoint to update settings for the role. You must hold a role with the edit_field_filter capability, such as the predefined "admin" role, to use the endpoint to configure the field filter limit. See authorization/roles/{name} in the Splunk Cloud Platform REST API Reference Manual.
Splunk Cloud Platform
To add a field filter limit to a role, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
To set the fieldFilterLimit to a specific host, source, or source type, you must add the fieldFilterLimit setting to the authorize.conf file. The syntax for specifying the source type is:
fieldFilterLimit = [sourcetype::<sourcetype>|host::<host>|source::<source>]
To add the fieldFilterLimit setting to a role in the authorize.conf file, follow these steps.
Prerequisites
  • Have the permissions to edit configuration files. Only users with file system access, such as system administrators, can edit configuration files.
  • Know how to edit configuration files. Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
  • Decide which directory to store configuration file changes in. There can be configuration files with the same name in your default, local, and app directories. See Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps
  1. Open or create a local authorize.conf file at $SPLUNK_HOME/etc/system/local.
  2. In the stanza for the role, add the line fieldFilterLimit = [sourcetype::<sourcetype>|host::<host>|source::<source>] to specify the host, source, or source type that you want to use for your field filter.

Examples

1. Setting the source type for a field

Say the ops role has the following fieldFilter configuration, which redacts values of the user_name field in searches run by users with the ops role:

fieldFilter-user_name = xxxx

The fieldFilter-user_name configuration applies to all events with the user_name field. To apply fieldFilter-user_name only to events that have the user_name field and the zebra source type, you can add the following fieldFilterLimit configuration to the ops role:

fieldFilterLimit = sourcetype::zebra

2. Using field filter limits with imported roles

Although you can specify only one value for a field filter limit per role, you can use imported roles to apply multiple field filter limits to a single role. For example, if you want users who hold the testers role to be able to limit multiple fields with different source types and hosts, you might configure your field filters to limit fieldA and fieldB on host::abc, and fieldX and fieldY on sourcetype::xyz like this:

[role_testers]
fieldFilter-splunk_server = xyz
fieldFilterLimit = sourcetype::audittrail
importRoles = user

[role_testers2]
fieldFilter-fieldX = NULL
fieldFilter-fieldY = xyz
fieldFilterLimit = sourcetype::xyz

[role_testers3]
fieldFilter-fieldA = NULL
fieldFilter-fieldB = xyz
fieldFilterLimit = host::abc

[role_userA]
importRoles = testers2,testers,testers3

Now a person holding the userA role inherits all of the field filters and limits that are set on the imported roles testers, testers2, or testers3.

For more information about using role-based field filters with imported roles, see Roles and imported roles and Setting role-based field filters with the Splunk platform.

See also

Protecting PII and PHI data with role-based field filtering
Turning on Splunk platform role-based field filtering
Last modified on 15 May, 2024
Setting role-based field filters with the Splunk platform   Turning off Splunk platform role-based field filtering

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters