Hi @salohiddin  As @PickleRick mentioned, the most bulletproof way to achieve this is to duplicate the data, with this you can then store a redacted version in one index whilst keeping the original in an index with reduced access. This does mean that the data will go through the ingest meta twice, and you would end up using more storage. To mitigate this a little you migt be able to rewrite your un-redacted data to just include the required fields needed to match back to the original event (e.g. a unique ID and un-redacted card number). There are various ways to achieve this e.g. using props/transforms or Ingest/Edge Processor depending on your environment. Another option would be role based field filtering - check out https://www.splunk.com/en_us/blog/security/field-hashing-masking-capabilities-for-compliance.html?locale=en_us for more information on this. Let us know your thoughts and if you have any questions just shout! 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Ahhh. Right. I read it backwards. Yes, if it's set in system/local, there's no way of overriding it via an app. That's the main reason why you should avoid putting any settings in system/local. Oh, and GUI - depending on which part of it it is will happily either write to system/local or some app of its own choice. ... View more

Hi @salohiddin  Its not possible to set this in the GUI, instead, after you run the installer don’t let the UF start immediately. Instead, edit (or create) the Windows‑event‑log stanza in $SPLUNK_HOME\etc\system\local\inputs.conf (or withing a custom app) before the forwarder first reads any logs. Add the following to the inputs.conf file [WinEventLog] current_only = 1 See https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-windows-data/monitor-windows-event-log-data-with-splunk-enterprise#:~:text=oldest-,current_only,-How%20to%20index for more info on this setting. Once you have saved the file: Start the forwarder (splunk.exe start or the Windows service). The UF will read only new events and no longer send the historic logs. If you've already started the UF then stop the service, edit inputs.conf, and restart the service. 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more