Splunk® Enterprise

Admin Manual

field_filters.conf

The following are the spec and example files for field_filters.conf.

field_filters.conf.spec

# Configurations for field filters are stored in
# etc/system/local/field_filters.conf.
# To customize your configuration, create a field_filters.conf file
# at $SPLUNK_HOME/etc/system/local if you are using *nix, or
# %SPLUNK_HOME%\etc\system\local if you are using Windows.

[<fieldFilterName>]

* Field filter names can contain only alphanumeric characters and
  underscores "_".
* Each field filter must have a unique name.

action = <field> = <operator>
* BNF for <action> syntax:
    <action>          ::= <field> = <operator>
    <operator>        ::= null() | sha256() | sha512() | <string literal>
                            | sed(<string literal>)
    <field>           ::= <string literal>
* An operator for an action can be one of the following:
    * null(): Removes the <field> from results of
      searches to which this filter is applied.
      For example: action = "password"=null()
    * sha256(): Hashes the <field> value with a SHA-256 hash
      wherever the <field> appears in results of searches to which this 
      filter is applied.
      For example: action = "userid"=sha256()
    * sha512(): Hashes the <field> value with a SHA-512 hash
      wherever the <field> appears in results of searches to which this 
      filter is applied.
      For example: action = "userid"=sha512()
    * <string literal>: Replaces the <fieldname> value
      with the specified string wherever the <field> value appears in results 
      of searches to which this filter is applied.
      For example: action = "ssn"="xxx-xx-xxx"
    * sed(<string literal>): Uses the sed expression on the '_raw' field to 
      which this filter is applied. The sed expression replaces strings in raw
      events that are matched by a regular expression (s) or transliterates 
      characters found in raw events with corresponding characters 
      provided by the sed expression (y).
      For example: action = "_raw"=sed("s/drop_count=0/drop_count=ZERO/g")
* <string literal> is a sequence of characters enclosed in double quotation 
  marks (" "). Use \ to escape the characters \ and " in a string literal 
  (\\ and \" respectively).
* No default.
* Required.

limit = [<limit_type>::<string>]
* Apply the action of a field filter to events matching the specified
  'host', 'source', or 'sourcetype' limit.
* Use <limit_type> to specify the limit type: 'host', 'source', or 'sourcetype'.
  You can't specify multiple limit types in a single field filter.
* Use <string> to specify a value or a list of comma-separated values for
  the specified limit.
* Example 1: limit = sourcetype::access_combined
  The field filter acts on events that match the 'access_combined' source type.
* Example 2: limit = sourcetype::st1,st2,st3
  The field filter acts on events that match any of the following source types:
  'st1', 'st2', or 'st3'.
* No default.
* Optional.

index = <string>
* Apply the action of a field filter to events from the specified indexes.
* Use <string> to specify an index name or a list of comma-separated index
  names.
* Example 1: index = myidx
  A field filter acts on events from the 'myidx' index.
* Example 2: index = idx1,idx2,idx3
  A field filter acts on events from any of the following indexes:
  'idx1', 'idx2', or 'idx3'.
* No default.
* Required.

description = <string>
* Used to store a description of the field filter.
* No default.
* Optional.

roleExemptions = <string>
* To maintain data security and integrity, do not manually change this setting.
* Identifies the user roles that are exempt from this field filter.
* This setting is automatically generated by Splunk Web or Splunk platform
  REST API requests, and should not be manually edited.
* <string> indicates a role name or a list of comma-separated role
  names that are exempt from this field filter.
* This setting and the 'fieldFilterExemption' setting in the 'authorize.conf'
  file are both required to exempt a role from a field filter.
* Example 1: roleExemptions = myrole
  A field filter is not applied to searches of a user who has the role "myrole".
* Example 2: roleExemptions = role_1,role_2,role_3
  A field filter is not applied to searches of a user who has any of the 
  following roles: "role_1", "role_2", "role_3".
* No default.
* Optional.

field_filters.conf.example

No example
Last modified on 01 November, 2024
federated.conf   fields.conf

This documentation applies to the following versions of Splunk® Enterprise: 9.4.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters