There's two transformation methods: SEDCMD or TRANSFORMS
SEDCMD: uses props.conf (used to mask or truncate raw data)
TRANSFORM: uses props.conf and transforms.conf (transforms matching events based on metadata)
A is correct
<https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/Anonymizedata>
Use the SEDCMD setting. This setting exists in the props.conf configuration file, which you configure on the heavy forwarder.
Agreed A. Quoting the Reference URL
"There are two ways to anonymize data with a heavy forwarder:
- Use the SEDCMD setting. This setting exists in the props.conf configuration file, which you configure on the heavy forwarder. It acts like a sed *nix script to do replacements and substitutions."
"You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. " <https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd>
Agreed A. Quoting the Reference URL
"By default, Splunk software does not change the content of an event to make its character set compliant with the third-party server. You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-part server can't process."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
emlch
9 months, 1 week agoalejohu
10 months agoApis
1 year, 5 months agoZeusP
2 years agomatsumo
2 years agoucsdmiami2020
1 year, 8 months agosargeholik
2 years, 5 months agoames
2 years, 9 months agoames
2 years, 9 months agoucsdmiami2020
1 year, 8 months agoAsami
2 years, 11 months ago