In which Splunk configuration is the SEDCMD used?
In which Splunk configuration is the SEDCMD used?
The SEDCMD setting is used to mask or truncate raw data and is configured within the props.conf file. This configuration allows for modifications to event data before it is indexed, making it suitable for altering data that contains characters the third-party servers cannot process.
There's two transformation methods: SEDCMD or TRANSFORMS SEDCMD: uses props.conf (used to mask or truncate raw data) TRANSFORM: uses props.conf and transforms.conf (transforms matching events based on metadata)
Yes, this is from data admin pdf Thank you
A in props.conf
"You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. " <https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd>
So yea answer is A.
Agreed A. Quoting the Reference URL "By default, Splunk software does not change the content of an event to make its character set compliant with the third-party server. You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-part server can't process."
A is correct
A is correct <https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/Anonymizedata> Use the SEDCMD setting. This setting exists in the props.conf configuration file, which you configure on the heavy forwarder.
Agreed A. Quoting the Reference URL "There are two ways to anonymize data with a heavy forwarder: - Use the SEDCMD setting. This setting exists in the props.conf configuration file, which you configure on the heavy forwarder. It acts like a sed *nix script to do replacements and substitutions."
A is correct
page 182 data admin
answer is A