Examice

Exam SPLK-1003 All QuestionsBrowse all questions from this exam

Question 100

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Correct Answer: D

To mask the first three digits of the AcctID field and replace them with 'xxx', while retaining the last four digits, the correct sed substitution regex should capture the first three digits and the last four digits separately. The regex 'AcctID=\d{3}(\d{4})' captures the last four digits in a capture group. In the replacement part 'AcctID=xxx\1', 'xxx' replaces the first three digits, and '\1' inserts the captured last four digits. Therefore, the correct SEDCMD is 'SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g'.

Discussion

loky0Option: D

should be D. the \1 indicates the capture group, should come after the xxx not before

ucsdmiami2020

Confirmed via Splunk docs https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata Scrolling down to the section titled "Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

Seba0297Option: D

"SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g" follows the SEDCMD rule "s/<regex>/<replacement>/<flags>" In this case we are re-writing AcctID with three 'x', appending then the first (and only one) capture group, made of 4 digits

PachecoOption: D

Right answer is D