Splunk® Enterprise

Securing Splunk Enterprise

Turn on Splunk platform field filters

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

How to turn on field filters

By default, field filters are turned off. Before you can use field filters to protect sensitive data in your organization, you must turn on field filters in the following .conf files:

  • limits.conf
  • web-features.conf files.

Turning on field filters in both files lets you use Splunk Web or Splunk platform REST API endpoints to create and manage field filters.

Splunk Cloud Platform
To turn on field filters in your environment, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
To turn on field filters in your environment, follow these steps.
Prerequisites
  • Have the permissions to edit configuration files. Only users with file system access, such as system administrators, can edit configuration files.
  • Know how to edit configuration files. Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
  • Decide which directory to store configuration file changes in. There can be configuration files with the same name in your default, local, and app directories. See Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps
  1. Open or create a local limits.conf file at $SPLUNK_HOME/etc/system/local.
  2. In the [search] stanza, add the line field_filters=true.
  3. Open or create a local web-features.conf file at $SPLUNK_HOME/etc/system/local.
  4. In the [feature:field_filters] stanza, add the line enable_field_filters_ui=true.
  5. Restart Splunk Enterprise, so the changes to the configuration files take effect.
  6. If you're using field filters in a distributed search deployment, you must set field_filters=true in the limits.conf file and enable_field_filters_ui=true in the web-features.conf file on all search heads and indexers.

See also

Protect PII, PHI, and other sensitive data with field filters
Turn off Splunk platform field filters
Last modified on 18 July, 2024
Plan for field filters in your organization   Create field filters using Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters