Hi @sabbas The Search Filter feature in Splunk roles is designed to restrict which events a user can search, not to transform or mask the data within those events. The syntax error "unbalanced par...
See more...
Hi @sabbas The Search Filter feature in Splunk roles is designed to restrict which events a user can search, not to transform or mask the data within those events. The syntax error "unbalanced parenthesis" occurs because the commands | eval or | rex mode=sed are pipeline commands. When you place them in the Search Filter, Splunk attempts to insert them into the initial search command (like litsearch or search) in a way that breaks the expected syntax, as pipeline commands cannot directly follow search terms within the initial command's arguments. Search Filters should contain search clauses that filter events, such as index=myindex, sourcetype=mysourcetype, or boolean combinations of these. They are applied before the user's search string is fully processed as an SPL pipeline. Modifying the _raw field based on user roles at search time is a complex requirement that is not directly supported by the standard role configuration's Search Filter. The typical Splunk method for masking sensitive data is done at index time using props.conf and transforms.conf. This is the most secure method as the data is masked before being written to disk, but it applies globally and is not role-specific. Implementing role-based masking at search time usually requires more advanced techniques, potentially involving custom search commands or complex logic applied via views or macros, which is beyond the scope of a simple role filter. Search Filters are for restricting events (e.g., index=sales), not transforming data (| eval, | rex). Placing pipeline commands (|) in the Search Filter string will cause syntax errors. Role-based data masking at search time is not a standard feature of role configurations. The search filter configuration page within Splunk states: The search filter can only include: source type source host index event type search fields the operators "*", "OR", "AND", "NOT" See Anonymize data for more ideas too. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing