Splunk® Enterprise

Securing Splunk Enterprise

Turning off Splunk platform role-based field filtering

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

At some point you might want to turn off all of your organization's role-based field filters at one time. When you turn off role-based field filtering, any existing role-based field filters you've set remain in place, but Splunk software ignores configuration information, such as field filters on roles, as well as limits on target hosts, sources, and source types. In addition, when your turn off role-based field filtering, personal identifiable information (PII) and protected health information (PHI) data might be visible in searches.

You can turn role-based field filtering back on whenever you want to use field filtering across your organization again.

Because turning off role-based field filters can expose sensitive data to unauthorized users, make sure that it is safe to turn field filtering off. To further secure your system, only allow certain authorized users to turn off role-based field filtering.

Splunk Cloud Platform
To turn off role-based field filtering in your environment, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
To turn off role-based field filtering in your environment, follow these steps.
  • Have the permissions to edit configuration files. Only users with file system access, such as system administrators, can edit configuration files.
  • Know how to edit configuration files. Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
  • Decide which directory to store configuration file changes in. There can be configuration files with the same name in your default, local, and app directories. See Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

  1. Open or create a local limits.conf file at $SPLUNK_HOME/etc/system/local.
  2. In the [search] stanza, add the line role_based_field_filtering=false.
  3. To turn role-based field filtering back on, change role_based_field_filtering to true.

See also

Protecting PII and PHI data with role-based field filtering
Turning on Splunk platform role-based field filtering
Last modified on 16 May, 2024
Limiting role-based field filters to specific hosts, sources, indexes, and source types   Use Splunk Enterprise to audit your system activity

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters