Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Splunk Exam SPLK-1003 Topic 3 Question 82 Discussion

Actual exam question for Splunk's SPLK-1003 exam
Question #: 82
Topic #: 3
[All SPLK-1003 Questions]

What is the correct example to redact a plain-text password from raw events?

Show Suggested Answer Hide Answer
Suggested Answer: B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

According to the Splunk documentation1, to redact sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing. The sed expression can use the s command to replace a pattern with a substitution string. For example, the following sed expression replaces any occurrence of password= followed by any characters until a comma, whitespace, or slash with ####REACTED####:

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option C is incorrect because it uses the transforms.conf file instead of the props.conf file. The transforms.conf file is used to define transformations that can be applied to fields or events, such as lookups, evaluations, or replacements. However, these transformations are applied after indexing, not before.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.


Contribute your Thoughts:

Roselle
6 months ago
I believe using SEDCMD instead of REGEX could work too for redacting passwords.
upvoted 0 times
...
Jess
6 months ago
I'm not sure, but I think it might be C) in transforms.conf.
upvoted 0 times
...
Dorothea
6 months ago
I agree, using REGEX to redact the password seems like the right approach.
upvoted 0 times
...
Roselle
6 months ago
I think the correct example is A) in props.conf.
upvoted 0 times
...
Katie
6 months ago
I believe using SEDCMD instead of REGEX could work too for redacting passwords.
upvoted 0 times
...
Veta
7 months ago
I'm not sure, but I think it might be C) in transforms.conf.
upvoted 0 times
...
Man
7 months ago
I agree, using REGEX to redact the password seems like the right approach.
upvoted 0 times
...
Katie
7 months ago
I think the correct example is A) in props.conf.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77