Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?
Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?
To mask Social Security Numbers (SSNs) in log events, the configuration must be done using the transforms.conf file with a REGEX pattern to identify SSNs and the FORMAT parameter to mask them. The DEST_KEY parameter specifies the field where the masked data will be placed, which is _raw in this case. The transforms.conf file is specifically meant for defining transformations and masking rules, making it the correct choice for this operation.
The Ans is D because transforms.conf is the right configuration file to state the regex expression. https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf
Wrong - B is correct "Props.conf is commonly used for: Anonymizing certain types of sensitive incoming data, such as credit card or social security numbers, using sed scripts." src: https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Propsconf
looks like both are correct, the same sentence can be found in: https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf
Correct Answer is D. DEST_KEY is not a attribute in props.conf spec
No, props.conf doesn't have a REGEX config-parameter, transforms.conf does.
Hense the phrase "sed scripts". SEDCMDs are not being used in any of the answers. Thus, the answer is dealing with TRANSFORMS. TRANSFORMS are invoked by the props.conf file, but the transformations, i.e., REGEX, FORMAT, etc are specified in the transforms.conf.
D slide 242 in data admin
Answer is D. Please check "Using Transforms" from Data Administration training Doc. -define the transformation in transforms.conf -invoke the transformation from props.conf
The confusion comes from the fact, that without props.conf, transform.conf won't work, as you have to reference the "options" from the latter in the props.conf file; but the configurations we see in the answers, are proper to transforms.conf file, and REGEX attribute is to be used in this file, not REX, so that leads us to the D answer.
Answer is D: Configure the transforms.conf file The Splunk platform uses the transforms.conf file to perform the transformation of the data
Correct Answer: D
Props.conf specifies the transforms to use to anonymize your data. Correct answer is B.
The correct answer is D
Ans is D
D is the least wrong answer. All of the REGEXs are wrong.
Friends, many views on this question, could you please confirm the final answer?
Ans: D A & B is definitely incorrect as format & dest_key are not attributes under props.conf, C is incorrect as the attribute should be REGEX instead of REX.
Ans is D
props.conf invokes transforms.conf
The correct answer is D. The transforms.conf file is used to define field extractions and data masking rules. In this case, we want to mask Social Security Numbers (SSN) found in log events. We can achieve this using a regular expression and the FORMAT parameter to replace the SSN with a masked value. The DEST_KEY parameter is used to specify the destination field for the masked data. Here is an explanation of the stanza: [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
"D" is correct... see ref: https://bluefletch.com/the-magic-of-splunk-how-to-throw-away-data/#:~:text=DEST_KEY%20%3D%20queue%20FORMAT%20%3D%20nullQueue%20Notice%20the,it%20to%20the%20indexer%29%20or%20%E2%80%98nullQueue%E2%80%99%20%28ignore%20it%29.