Hello folks, We use Splunk cloud platform (managed by Splunk) for our logging system. We want to implement role based search filtering to mask JWT tokens and Emails in the logs for certain users. E...
See more...
Hello folks, We use Splunk cloud platform (managed by Splunk) for our logging system. We want to implement role based search filtering to mask JWT tokens and Emails in the logs for certain users. Ex. Roles: User, RestrictedUser Both roles have access to the same index: main Users can query as normal, but if a RestrictedUser searches the logs then they should get the logs with the token and email data masked. Documentation/community posts/gemini recommended adding regex for filtering in transforms conf and updating some other conf files like so # transforms.conf [redact_jwt_searchtime] REGEX = (token=([A-Za-z0-9-]+\.[A-Za-z0-9-]+\.[A-Za-z0-9-_]+)) FORMAT = token=xxx.xxx.xxx SOURCE_KEY = _raw [redact_email_searchtime] REGEX = ([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}) FORMAT = xxx@xxx.xxx SOURCE_KEY = _raw # props.conf [*] TRANSFORMS-redact_for_search = redact_jwt_searchtime, redact_email_searchtime # authorize.conf [test_masked_data] srchFilter = search_filters = redact_for_search creating an app and uploading it on the cloud platform. Since the platform is managed by Splunk, I'm not sure if that would be sufficient or even work. Anyone have suggestions on the best way to apply the role based search filters when on Splunk Cloud rather than on premise?