Splunk doesn't have a mechanism to anonymize data at search time - it can only anonymize it at index-time.
To protect indexed sensitive data, you would need to filter it based on role to prevent access.
I don't know of a way to do this with Splunk's role based permissions on objects or at search time.
A potential solution/hack , albeit not very "license volume efficent", might be to index the data twice.
Index A indexes the data in plaintext , Index B indexes the same data but anonymized.
And then make Index A only readable to those in the admin role and Index B readable to those in the user1 role.
Yes this is what I would suggest, as well. I'd use saved searches to pipe the search results through a custom command that scrubs the fields out of the data and writes a copy of every record into another index. Since this would not be running through any of the inputs it would not count against licensing volume (as with summary indexing), but would require additional disk.