Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Remove a field from certain roles view

celdridge1988
Engager
‎02-18-2020 05:35 AM

Hi Everyone,
The scenario here is:

Email data being ingested by Splunk. We want to be able to give access to this index to a number of people but confidential information is sometimes presented in the subject line of an email and the subject is a part of the log.

Is it possible to block just this field on certain roles but not all?

Thank you 🙂

0 Karma
Reply

manjunathmeti
Champion
‎02-18-2020 05:52 AM

If a role gets access to an index then user of that role can search all the fields of that index. Access can't be controlled on field names. Best thing you can do is write a search to anonymize or remove confidential fields and write output to a summary index and give access to summary index to restricted roles.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...