Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Splunk SPLK-1003 Exam - Topic 14 Question 111 Discussion

Actual exam question for Splunk's SPLK-1003 exam
Question #: 111
Topic #: 14
[All SPLK-1003 Questions]

What is the correct example to redact a plain-text password from raw events?

Show Suggested Answer Hide Answer
Suggested Answer: B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

According to the Splunk documentation1, to redact sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing. The sed expression can use the s command to replace a pattern with a substitution string. For example, the following sed expression replaces any occurrence of password= followed by any characters until a comma, whitespace, or slash with ####REACTED####:

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option C is incorrect because it uses the transforms.conf file instead of the props.conf file. The transforms.conf file is used to define transformations that can be applied to fields or events, such as lookups, evaluations, or replacements. However, these transformations are applied after indexing, not before.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation


by Tarra at Mar 23, 2025, 11:22 PM

Limited Time Offer

25%

Off

Get Premium SPLK-1003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lynda
3 months ago
No way, I thought REGEX was the standard for this!
upvoted 0 times
...
Gail
3 months ago
Wait, isn't D also valid?
upvoted 0 times
...
Hortencia
4 months ago
I thought it was A at first, but B makes more sense.
upvoted 0 times
...
Timothy
4 months ago
I always get confused between REGEX and SEDCMD.
upvoted 0 times
...
James
4 months ago
Option B is the right one!
upvoted 0 times
...
Floyd
4 months ago
I thought REGEX was used in transforms.conf, but I can’t recall if it was for redaction or something else. This is tricky!
upvoted 0 times
...
Venita
4 months ago
I’m a bit confused about the difference between REGEX and SEDCMD in this context. I feel like I might have seen something about that in our notes.
upvoted 0 times
...
Effie
5 months ago
I remember practicing a similar question, and I think SEDCMD is the right command for redacting passwords. So maybe B?
upvoted 0 times
...
Edison
5 months ago
I think it’s either A or B, but I’m not sure which one uses the correct syntax for redaction.
upvoted 0 times
...
Vannessa
5 months ago
Ah, I remember learning about this in the Splunk administration training. The REGEX-redact_pw option in props.conf is the correct way to redact passwords from raw events.
upvoted 0 times
...
Laurel
5 months ago
Okay, the key here is to use the correct configuration file and the right redaction command. I'm leaning towards option B or C, but I'll double-check the syntax to be sure.
upvoted 0 times
...
Darrin
5 months ago
Hmm, I'm a bit unsure about the difference between props.conf and transforms.conf. I'll need to review that before deciding on the answer.
upvoted 0 times
...
Malissa
6 months ago
This looks like a straightforward question on redacting sensitive information like passwords from raw event data. I think I can handle this one.
upvoted 0 times
...
Annamaria
12 months ago
Haha, this question is a real mind-bender. I'm just going to pick Option A and hope for the best. Password redaction can't be that complicated, right?
upvoted 0 times
Kaycee
10 months ago
User4: I'm going with Option D. It looks like it could do the job effectively.
upvoted 0 times
...
Maryrose
10 months ago
User3: Option C might be the way to go. It seems like a solid choice.
upvoted 0 times
...
Myra
10 months ago
User2: I'm leaning towards Option B. It looks like it could work as well.
upvoted 0 times
...
Inocencia
10 months ago
User1: I think I'll go with Option A too. It seems straightforward.
upvoted 0 times
...
Alecia
10 months ago
User1: Good point, let's see which one actually does the job.
upvoted 0 times
...
Talia
10 months ago
User3: I'm going with Option D. It looks like it could work as well.
upvoted 0 times
...
Noe
10 months ago
User2: Yeah, that's what I was thinking. Let's hope it works!
upvoted 0 times
...
Annett
10 months ago
User1: I think I'll go with Option A too. It seems straightforward.
upvoted 0 times
...
...
Romana
12 months ago
Hmm, this is a tricky one. I'm going to go with Option D just because it sounds more secure to use REGEX in the transforms.conf file.
upvoted 0 times
...
Martin
12 months ago
I disagree, I think Option C is the right answer. Using transforms.conf with SEDCMD is the standard way to redact sensitive information like passwords.
upvoted 0 times
Beckie
11 months ago
I agree with you, Option C is the right answer. It's important to redact sensitive information like passwords properly.
upvoted 0 times
...
Ellsworth
11 months ago
I think Option A is the best choice. Using props.conf with REGEX-redact_pw is a more efficient way to redact plain-text passwords.
upvoted 0 times
...
Jame
12 months ago
Option C is the correct answer. Using transforms.conf with SEDCMD is the standard way to redact sensitive information like passwords.
upvoted 0 times
...
...
Stephane
12 months ago
I see your point, maybe C) is better for redacting passwords in raw events.
upvoted 0 times
...
Carey
12 months ago
But A) uses REGEX while C) uses SEDCMD, which one do you think is more appropriate?
upvoted 0 times
...
Stephane
12 months ago
I disagree, I believe it is C) in transforms.conf.
upvoted 0 times
...
Vashti
1 year ago
Option B looks like the correct way to redact a password in the props.conf file. Using SEDCMD instead of REGEX seems more appropriate for this task.
upvoted 0 times
Evangelina
11 months ago
User3: I agree, using SEDCMD for redacting passwords is more suitable.
upvoted 0 times
...
Reed
11 months ago
User2: Yeah, SEDCMD in props.conf seems like the right choice.
upvoted 0 times
...
Stefania
12 months ago
User1: I think option B is the way to go.
upvoted 0 times
...
...
Carey
1 year ago
I think the correct example is A) in props.conf.
upvoted 0 times
...

Save Cancel