How to restrict access to indexed fields


I would like to restrict access to a specific indexed field. Here's my scenario:

  • events contain usernames
  • I use INGEST_EVAL to: create the user field (user), create a hashed version of the user field (user_hash) and to modify _raw to replace the username with the value of user_hash.
  • this is done at index time and fields are indexed
  • my goal is to allow all users access to the user_hash. This psuedo-anonymization allows for stats by user without having the actual username
  • more privileged users will be allowed to access the user field to see the actual value
  • I've set up the INGEST_EVAL extractions and they work fine
  • what is the best way to restrict access to the user field to only specific role?
0 Karma

Super Champion

Just doing something from my experience
1. The only proper way to restrict permissions is by giving ROLE access to specific INDEX. So create a role and assign specific index which it can access and capabilities accordingly.
2. Then redirect all your raw data to a "secured index" with ROLES which are very secure. (eg index=secure_index sourcetype=secure_sourcetype)
3. Redirect all your user_hash events with another sourcetype to a more generic index which users can access (eg index=not_so_secure_index sourcetype=another_sourcetype)

Unfortunately, this means double the indexing & data. Other ways, is to summary index specific data you want the "less secure" users to see. You can just provide them with some key fields only

0 Karma

Super Champion

IMO, the ONLY true way to restrict access is at "INDEX" level. So the role can access only specific indexes


just to be clear now in the raw events in slunk web , we can see 2 fields user and user_hash with the actual value and the secure hash computed value?
And you want to hide / unhide the actual user value depending upon the user log in?

0 Karma


Not quite. Only the username is displayed in the raw event. I use INGEST_EVAL at index time to:

Step 1: extract the user field (transforms.conf):

INGEST_EVAL = user = replace(_raw,"^(.*username:)(.*?)(\s.*)$","\2")

Step 2: create a field called user_hash which is the md5 hash of the username from step 1 (transforms.conf):

INGEST_EVAL = user_hash = md5(user)

Step 3: replace the occurrence of the username in _raw with the value of user_hash created from step 2 (transforms.conf):

INGEST_EVAL = _raw = replace(_raw,user,user_hash)

What I'm left with:

  • a user field with actual username
  • a user_hash field with hash value of username
  • _raw has been modified before being indexed to replace the username with the hash

What I need to figure out:
- user_hash field should be available to all users
- user field should only be available to special users with this privileged

0 Karma

Splunk Employee
Splunk Employee

But seems there is no way to restrict a special users to access this user field.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...