SPLK-1003 · Question #151
What is the correct example to redact a plain-text password from raw events?
The correct answer is B. in props.conf:. Raw event redaction in Splunk is performed using SEDCMD in props.conf, which applies a sed-style substitution directly to the raw event text at index time. Option B provides the correct SEDCMD stanza in props.conf.
Question
What is the correct example to redact a plain-text password from raw events?
Options
- Ain props.conf:
- Bin props.conf:
- Cin transforms.conf:
- Din transforms.conf:
How the community answered
(34 responses)- A3% (1)
- B88% (30)
- C3% (1)
- D6% (2)
Why each option
Raw event redaction in Splunk is performed using SEDCMD in props.conf, which applies a sed-style substitution directly to the raw event text at index time. Option B provides the correct SEDCMD stanza in props.conf.
This option uses an incorrect directive in props.conf that does not operate on raw event text - only SEDCMD can perform in-place raw string substitution within props.conf.
SEDCMD in props.conf applies a sed-style regular expression substitution to the raw event text before the event is written to the index, permanently replacing sensitive strings such as passwords. The correct syntax is SEDCMD-<name> = s/<regex>/<replacement>/g within the appropriate source or sourcetype stanza in props.conf, making it the only props.conf directive that modifies raw event content directly.
A standalone transforms.conf stanza cannot redact raw event text on its own - it must be paired with a TRANSFORMS reference in props.conf, and SEDCMD in props.conf is the simpler and more direct approach for raw text redaction.
This option uses incorrect transforms.conf syntax or a configuration designed to modify extracted field values rather than the underlying raw event text, which does not achieve raw-data redaction.
Concept tested: Raw event redaction using SEDCMD in props.conf
Source: https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
Topics
Community Discussion
No community discussion yet for this question.