Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to apply role based filtering on Splunk Cloud Platform

sabbas
Explorer
‎06-04-2025 12:15 PM

Hello folks,

We use Splunk cloud platform (managed by Splunk) for our logging system. We want to implement role based search filtering to mask JWT tokens and Emails in the logs for certain users.

Ex. 

Roles: User, RestrictedUser

Both roles have access to the same index: main

Users can query as normal, but if a RestrictedUser searches the logs then they should get the logs with the token and email data masked.

Documentation/community posts/gemini recommended adding regex for filtering in transforms conf and updating some other conf files like so

# transforms.conf

[redact_jwt_searchtime]
REGEX = (token=([A-Za-z0-9-]+\.[A-Za-z0-9-]+\.[A-Za-z0-9-_]+))
FORMAT = token=xxx.xxx.xxx
SOURCE_KEY = _raw

[redact_email_searchtime]
REGEX = ([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,})
FORMAT = xxx@xxx.xxx
SOURCE_KEY = _raw

# props.conf

[*]
TRANSFORMS-redact_for_search = redact_jwt_searchtime, redact_email_searchtime

# authorize.conf

[test_masked_data]
srchFilter = search_filters = redact_for_search

creating an app and uploading it on the cloud platform. Since the platform is managed by Splunk, I'm not sure if that would be sufficient or even work.
 
Anyone have suggestions on the best way to apply the role based search filters when on Splunk Cloud rather than on premise?
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2025 12:26 PM

Forget you ever heard about Search Filters.  They usually cause more problems than they solve.

TRANSFORMS are index-time operations so they will mask data for everyone.

What you want is Field Filters.  They automatically mask fields in search results based on user roles.  See https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/searchfieldfilters for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Alpha Launch: AI-Assisted Auto-Schematization for CIM

Streamlining Data Onboarding: Announcing the Alpha Release of AI-Assisted Auto-Schematization For many Splunk ...

Enterprise Security(ES) Essentials or Premier? Let's discuss Splunk ES Editions on ...

  Hi everyone, Last year at .conf25, we shared something exciting: Splunk Enterprise Security is evolving ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 5

Advent of CodeIn order to participate in these challenges, you will need to register with the Advent of Code ...