Email data being ingested by Splunk. We want to be able to give access to this index to a number of people but confidential information is sometimes presented in the subject line of an email and the subject is a part of the log.
Is it possible to block just this field on certain roles but not all?
If a role gets access to an index then user of that role can search all the fields of that index. Access can't be controlled on field names. Best thing you can do is write a search to anonymize or remove confidential fields and write output to a summary index and give access to summary index to restricted roles.