I am trying to configure explicit information access based on roles in Splunk Enterprise.
I have configured a number of event types and field extractions. Is it possible to configure access to an event type, but not allow access to 1 field in a multi-field matcher? e.g. below to illustrate what I am trying to achieve:
event type "SomeInfo" search term: "SomeInfo: " field extractor "InfoExtr" regex: aField: (?P<FieldA>[^,]+), bField: (?P<FieldB>[^,]+), cField: (?P<FieldC>[^,]+) log example: SomeInfo: aField: foo, bField: bar, cField: 99
I would like to allow a role to access FieldA and FieldB, but not FieldC. Is this possible?
I have the following in the Restrict search Terms:
(eventtype="SomeInfo" OR eventtype="Other"). I have tried adding
(NOT FieldC) (doesn't filter) or
(NOT FieldC="*") (filters entire event).
I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.