Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to apply role based filtering on Splunk Cloud Platform

sabbas
Explorer
‎06-04-2025 12:15 PM

Hello folks,

We use Splunk cloud platform (managed by Splunk) for our logging system. We want to implement role based search filtering to mask JWT tokens and Emails in the logs for certain users.

Ex. 

Roles: User, RestrictedUser

Both roles have access to the same index: main

Users can query as normal, but if a RestrictedUser searches the logs then they should get the logs with the token and email data masked.

Documentation/community posts/gemini recommended adding regex for filtering in transforms conf and updating some other conf files like so

# transforms.conf

[redact_jwt_searchtime]
REGEX = (token=([A-Za-z0-9-]+\.[A-Za-z0-9-]+\.[A-Za-z0-9-_]+))
FORMAT = token=xxx.xxx.xxx
SOURCE_KEY = _raw

[redact_email_searchtime]
REGEX = ([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,})
FORMAT = xxx@xxx.xxx
SOURCE_KEY = _raw

# props.conf

[*]
TRANSFORMS-redact_for_search = redact_jwt_searchtime, redact_email_searchtime

# authorize.conf

[test_masked_data]
srchFilter = search_filters = redact_for_search

creating an app and uploading it on the cloud platform. Since the platform is managed by Splunk, I'm not sure if that would be sufficient or even work.
 
Anyone have suggestions on the best way to apply the role based search filters when on Splunk Cloud rather than on premise?
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2025 12:26 PM

Forget you ever heard about Search Filters.  They usually cause more problems than they solve.

TRANSFORMS are index-time operations so they will mask data for everyone.

What you want is Field Filters.  They automatically mask fields in search results based on user roles.  See https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/searchfieldfilters for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...