Security

Remove a field from certain roles view

celdridge1988
Engager

Hi Everyone,
The scenario here is:

Email data being ingested by Splunk. We want to be able to give access to this index to a number of people but confidential information is sometimes presented in the subject line of an email and the subject is a part of the log.

Is it possible to block just this field on certain roles but not all?

Thank you 🙂

0 Karma

manjunathmeti
Champion

If a role gets access to an index then user of that role can search all the fields of that index. Access can't be controlled on field names. Best thing you can do is write a search to anonymize or remove confidential fields and write output to a summary index and give access to summary index to restricted roles.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!