SPLK-1003 · Question #92
Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: Event: [22/Oct/2018:15:50:21]
The correct answer is D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g. The goal is to mask the first 3 digits of AcctID, keeping the last 4 digits. The original AcctID (e.g., AcctID=1235309) should become AcctID=xxx5309. Option D - s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g - correctly matches 3 digits then captures the next 4 digits in group \1, replacin
Question
Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output:
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Options
- ASEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
- BSEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
- CSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
- DSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
How the community answered
(39 responses)- A8% (3)
- B5% (2)
- C15% (6)
- D72% (28)
Explanation
The goal is to mask the first 3 digits of AcctID, keeping the last 4 digits. The original AcctID (e.g., AcctID=1235309) should become AcctID=xxx5309. Option D - s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g - correctly matches 3 digits then captures the next 4 digits in group \1, replacing with 'xxx' followed by the captured 4 digits (\1), producing AcctID=xxx5309. Option C is wrong because it places \1 before 'xxx', producing AcctID=5309xxx. Option B incorrectly targets a 3+4 digit pattern but uses wrong replacement syntax. Option A incorrectly targets VendorID instead of AcctID.
Topics
Community Discussion
No community discussion yet for this question.