nerdexam
Splunk

SPLK-1003 · Question #151

What is the correct example to redact a plain-text password from raw events?

The correct answer is B. in props.conf:. Raw event redaction in Splunk is performed using SEDCMD in props.conf, which applies a sed-style substitution directly to the raw event text at index time. Option B provides the correct SEDCMD stanza in props.conf.

Configuration Files

Question

What is the correct example to redact a plain-text password from raw events?

Options

  • Ain props.conf:
  • Bin props.conf:
  • Cin transforms.conf:
  • Din transforms.conf:

How the community answered

(34 responses)
  • A
    3% (1)
  • B
    88% (30)
  • C
    3% (1)
  • D
    6% (2)

Why each option

Raw event redaction in Splunk is performed using SEDCMD in props.conf, which applies a sed-style substitution directly to the raw event text at index time. Option B provides the correct SEDCMD stanza in props.conf.

Ain props.conf:

This option uses an incorrect directive in props.conf that does not operate on raw event text - only SEDCMD can perform in-place raw string substitution within props.conf.

Bin props.conf:Correct

SEDCMD in props.conf applies a sed-style regular expression substitution to the raw event text before the event is written to the index, permanently replacing sensitive strings such as passwords. The correct syntax is SEDCMD-<name> = s/<regex>/<replacement>/g within the appropriate source or sourcetype stanza in props.conf, making it the only props.conf directive that modifies raw event content directly.

Cin transforms.conf:

A standalone transforms.conf stanza cannot redact raw event text on its own - it must be paired with a TRANSFORMS reference in props.conf, and SEDCMD in props.conf is the simpler and more direct approach for raw text redaction.

Din transforms.conf:

This option uses incorrect transforms.conf syntax or a configuration designed to modify extracted field values rather than the underlying raw event text, which does not achieve raw-data redaction.

Concept tested: Raw event redaction using SEDCMD in props.conf

Source: https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

Topics

#Password Redaction#props.conf#Event Processing#Data Transformation

Community Discussion

No community discussion yet for this question.

Full SPLK-1003 Practice