Is there a way to mask or anonymize data in splunk by role such that one role (such as Admin) can see all the data on splunk however another role (such as user1)can only see the masked or anonymized data.
Splunk doesn't have a mechanism to anonymize data at search time - it can only anonymize it at index-time.
To protect indexed sensitive data, you would need to filter it based on role to prevent access.
I don't know of a way to do this with Splunk's role based permissions on objects or at search time.
A potential solution/hack , albeit not very "license volume efficent", might be to index the data twice.
Index A indexes the data in plaintext , Index B indexes the same data but anonymized.
And then make Index A only readable to those in the admin role and Index B readable to those in the user1 role.
Yes this is what I would suggest, as well. I'd use saved searches to pipe the search results through a custom command that scrubs the fields out of the data and writes a copy of every record into another index. Since this would not be running through any of the inputs it would not count against licensing volume (as with summary indexing), but would require additional disk.
No solution yet.!!
Wow i thought i could have it answered here, i will update once i get a solution to this :). Waiting on a response from Splunk support.