Limiting role-based field filters to specific hosts, sources, indexes, and source types
By default, a field filter configuration for a role filters all events on the Splunk platform from all available hosts, sources, indexes, and source types, which can impact performance on unrelated search results.
Restrict field filters to specific hosts, sources, or source types
For more efficient searches and better performance, use the field limit setting to restrict the field filters for a role to a specific host, source, or source type. For example, your searches will be faster if you set the field filter limit to filter events from host::hostname1
. Instead of filtering all events, only those events from host::hostname1
are filtered.
Keep the following considerations in mind when you plan to limit your field filter on a role to a particular host, source, or source type:
- You can specify only one value for a field filter limit setting per role.
- Each field filter limit setting is paired with one or more field filter assignments that are configured on a specific role. See Setting role-based field filters with the Splunk platform.
- When a field filter limit setting is associated with a role, it applies to all field filter assignments that are also associated with that role.
- The field filter limit setting does not support statements that include wildcards or the following operators: AND, OR.
Restrict field filters to specific indexes
You can also optimize performance by including or excluding searchable indexes on a role that is configured with field filtering. For planning information about restricting role-based field filtering to specific indexes, see Planning for role-based field filtering in your organization. To specify searchable indexes for a role, see Create and manage roles with Splunk Web.
Configure role-based field filter limits for hosts, sources, and source types
To configure a field filter limit on a role for specific hosts, sources, and source types, you can update the settings in a role using one of the following methods:
- Update the authorize.conf file by adding
fieldFilterLimit = [sourcetype::<sourcetype>|host::<host>|source::<source>]
to the role. - Use the Splunk platform REST API authorization/roles/{name} endpoint to update settings for the role. You must hold a role with the edit_field_filter capability, such as the predefined "admin" role, to use the endpoint to configure the field filter limit. See authorization/roles/{name} in the Splunk Cloud Platform REST API Reference Manual.
Splunk Cloud Platform
- To add a field filter limit to a role, contact your Splunk account team.
Splunk Enterprise
- To set the
fieldFilterLimit
to a specific host, source, or source type, you must add thefieldFilterLimit
setting to the authorize.conf file. The syntax for specifying the source type is:
fieldFilterLimit = [sourcetype::<sourcetype>|host::<host>|source::<source>]
- To add the
fieldFilterLimit
setting to a role in the authorize.conf file, follow these steps.
- Prerequisites
- Only users with file system access, such as system administrators, can edit configuration files.
- Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.
- Steps
- Open or create a local authorize.conf file at $SPLUNK_HOME/etc/system/local.
- In the stanza for the role, add the line
fieldFilterLimit = [sourcetype::<sourcetype>|host::<host>|source::<source>]
to specify the host, source, or source type that you want to use for your field filter.
Examples
1. Setting the source type for a field
Say the ops role has the following fieldFilter
configuration, which redacts values of the user_name
field in searches run by users with the ops role:
fieldFilter-user_name = xxxx
The fieldFilter-user_name
configuration applies to all events with the user_name
field. To apply fieldFilter-user_name
only to events that have the user_name
field and the zebra
source type, you can add the following fieldFilterLimit
configuration to the ops role:
fieldFilterLimit = sourcetype::zebra
2. Using field filter limits with imported roles
Although you can specify only one value for a field filter limit per role, you can use imported roles to apply multiple field filter limits to a single role. For example, if you want users who hold the testers role to be able to limit multiple fields with different source types and hosts, you might configure your field filters to limit fieldA
and fieldB
on host::abc
, and fieldX
and fieldY
on sourcetype::xyz
like this:
[role_testers] fieldFilter-splunk_server = xyz fieldFilterLimit = sourcetype::audittrail importRoles = user [role_testers2] fieldFilter-fieldX = NULL fieldFilter-fieldY = xyz fieldFilterLimit = sourcetype::xyz [role_testers3] fieldFilter-fieldA = NULL fieldFilter-fieldB = xyz fieldFilterLimit = host::abc [role_userA] importRoles = testers2,testers,testers3
Now a person holding the userA role inherits all of the field filters and limits that are set on the imported roles testers, testers2, or testers3.
For more information about using role-based field filters with imported roles, see Roles and imported roles and Setting role-based field filters with the Splunk platform.
See also
Setting role-based field filters with the Splunk platform | Turning off Splunk platform role-based field filtering |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2305, 9.1.2308
Feedback submitted, thanks!