Splunk Cloud Platform

Securing Splunk Cloud Platform

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Turning on Splunk platform role-based field filtering

By default, role-based field filtering is turned off. Before you can use role-based field filters to protect sensitive data in your organization, you must turn on role-based field filtering.

Splunk Cloud Platform

To turn on role-based field filtering in your environment, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.

Splunk Enterprise

To turn on role-based field filtering in your environment, follow these steps.
  • Only users with file system access, such as system administrators, can edit configuration files.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

  1. Open or create a local limits.conf file at $SPLUNK_HOME/etc/system/local.
  2. In the [search] stanza, add the line role_based_field_filtering=true.
  3. Restart the Splunk platform, so the change to the limits.conf file takes effect.

To use field filtering in clustered environments, the limits.conf file that is pushed to all search heads and indexers must include role_based_field_filtering=true in the [search] stanza.

See also

Protecting PII and PHI data with role-based field filtering
Turning off Splunk platform role-based field filtering
Last modified on 22 November, 2023
Planning for role-based field filtering in your organization
Setting role-based field filters with the Splunk platform

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2305 (latest FedRAMP release), 9.1.2308

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters