nerdexam
Splunk

SPLK-1003 · Question #92

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: Event: [22/Oct/2018:15:50:21]

The correct answer is D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g. The goal is to mask the first 3 digits of AcctID, keeping the last 4 digits. The original AcctID (e.g., AcctID=1235309) should become AcctID=xxx5309. Option D - s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g - correctly matches 3 digits then captures the next 4 digits in group \1, replacin

Configuration Files

Question

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output:

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Options

  • ASEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
  • BSEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
  • CSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
  • DSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

How the community answered

(39 responses)
  • A
    8% (3)
  • B
    5% (2)
  • C
    15% (6)
  • D
    72% (28)

Explanation

The goal is to mask the first 3 digits of AcctID, keeping the last 4 digits. The original AcctID (e.g., AcctID=1235309) should become AcctID=xxx5309. Option D - s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g - correctly matches 3 digits then captures the next 4 digits in group \1, replacing with 'xxx' followed by the captured 4 digits (\1), producing AcctID=xxx5309. Option C is wrong because it places \1 before 'xxx', producing AcctID=5309xxx. Option B incorrectly targets a 3+4 digit pattern but uses wrong replacement syntax. Option A incorrectly targets VendorID instead of AcctID.

Topics

#SEDCMD#props.conf#Data Masking#Regular Expressions

Community Discussion

No community discussion yet for this question.

Full SPLK-1003 Practice