Splunk® Enterprise

Securing Splunk Enterprise

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Optimize field filter performance using Splunk Web

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

How to optimize field filter performance using Splunk Web

By default, a field filter configuration filters all events on the Splunk platform from all available hosts, sources, and source types in the specified target indexes, which can impact performance on unrelated search results. This section describes how you can improve performance by fine-tuning the indexes, hosts, sources, and source types that a field filter draws from. See Plan for field filters in your organization.

Prerequisites

By default, to create, edit, or delete field filters, you must be a member of the admin or sc_admin role. To view field filters, you must be a member of the admin, sc_admin, or power user role. See Define roles on the Splunk platform with capabilities in Securing Splunk Platform.

Restrict field filters to specific indexes

You must specify the searchable target indexes when you set up your field filters.

Steps

To restrict a field filter to specific indexes, follow these steps.

  1. Select Settings and then Field filters from Users And Authentication.
  2. Select New field filter.
  3. In the Field filter and limit page, enter a name and optional description for your new field filter.
  4. Enter the name of the target indexes you want to search that contain the data you want to protect. Only events from these indexes are filtered by the field filter.
    For example, to configure your field filter to filter events from an index called customers, set the target index to the customers index.
  5. Enter additional information as needed to configure your field filter.
  6. Select Next, and then select Next after reviewing the subsequent pages. Then select Save to update the field filter with your change.

Restrict field filters to specific hosts, sources, or source types

For more efficient searches and better performance, use the field filter limit settings in Splunk Web to restrict the field filters to specific hosts, sources, or source types. For example, your searches will be faster if you configure your field filter to filter events from a specific host called hostname1. Instead of filtering all events, only those events from the host hostname1 are filtered.

Keep the following considerations in mind when you plan to limit your field filter to specific hosts, sources, or source types:

  • You can specify only one value for each field filter limit type, but you can specify multiple hosts, sources, or source types limits.
  • The field filter limit settings do not support statements that include wildcards or the following operators: AND, OR.

Steps

This section describes how to use Splunk Web to edit an existing field filter to filter fields from specific hosts, sources, or source types.

  1. Select Settings and then Field filters from Users And Authentication.
  2. Select Edit from the Actions menu for the field filter you want to update.
  3. In the Limit type field, select the host, source, or source type. Only one limit type is supported per field filter.
  4. Enter the name of one or more hosts, sources, or source types in Host limit, Source limit, or Source type limit.
  5. Select Next, and then select Next after reviewing the subsequent pages. Then select Save to update the field filter with your change.

Examples

1. Set the source type for a field

Say you have a field filter that redacts values of the IP_addr field in searches with the string xxxx. The IP_addr field filter applies to all events with the IP_addr field.

To apply the IP_addr field filter only to events that have the IP_addr field and the cisco_syslog source type, edit the field filter by following these steps:

  1. Select Settings and then Field filters from Users And Authentication.
  2. Select the IP_addr field filter, then select Edit from the Actions menu.
  3. In the Limit type field, select Source type.
  4. In the Source type limit field, enter cisco_syslog.
  5. Select Next and then Save.

See also

Protect PII, PHI, and other sensitive data with field filters
Create field filters using Splunk Web
Last modified on 26 July, 2024
Create field filters using Splunk Web   Exempt certain roles from field filters using Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters