The scenario here is:
Email data being ingested by Splunk. We want to be able to give access to this index to a number of people but confidential information is sometimes presented in the subject line of an email and the subject is a part of the log.
Is it possible to block just this field on certain roles but not all?
Thank you 🙂