Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to apply role based filtering on Splunk Cloud Platform

sabbas
Engager
2 weeks ago

Hello folks,

We use Splunk cloud platform (managed by Splunk) for our logging system. We want to implement role based search filtering to mask JWT tokens and Emails in the logs for certain users.

Ex. 

Roles: User, RestrictedUser

Both roles have access to the same index: main

Users can query as normal, but if a RestrictedUser searches the logs then they should get the logs with the token and email data masked.

Documentation/community posts/gemini recommended adding regex for filtering in transforms conf and updating some other conf files like so

# transforms.conf

[redact_jwt_searchtime]
REGEX = (token=([A-Za-z0-9-]+\.[A-Za-z0-9-]+\.[A-Za-z0-9-_]+))
FORMAT = token=xxx.xxx.xxx
SOURCE_KEY = _raw

[redact_email_searchtime]
REGEX = ([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,})
FORMAT = xxx@xxx.xxx
SOURCE_KEY = _raw

# props.conf

[*]
TRANSFORMS-redact_for_search = redact_jwt_searchtime, redact_email_searchtime

# authorize.conf

[test_masked_data]
srchFilter = search_filters = redact_for_search

creating an app and uploading it on the cloud platform. Since the platform is managed by Splunk, I'm not sure if that would be sufficient or even work.
 
Anyone have suggestions on the best way to apply the role based search filters when on Splunk Cloud rather than on premise?
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

Forget you ever heard about Search Filters.  They usually cause more problems than they solve.

TRANSFORMS are index-time operations so they will mask data for everyone.

What you want is Field Filters.  They automatically mask fields in search results based on user roles.  See https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/searchfieldfilters for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...