Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678. Which configuration file and stanza pair will mask possible SSNs in the log events?
A.
props.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 KEY = _raw
B.
props.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
C.
transforms.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
D.
transforms.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
The Ans is D
because transforms.conf is the right configuration file to state the regex expression.
https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf
Wrong - B is correct
"Props.conf is commonly used for:
Anonymizing certain types of sensitive incoming data, such as credit
card or social security numbers, using sed scripts."
src: https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Propsconf
Hense the phrase "sed scripts". SEDCMDs are not being used in any of the answers. Thus, the answer is dealing with TRANSFORMS. TRANSFORMS are invoked by the props.conf file, but the transformations, i.e., REGEX, FORMAT, etc are specified in the transforms.conf.
"D" is correct... see ref: https://bluefletch.com/the-magic-of-splunk-how-to-throw-away-data/#:~:text=DEST_KEY%20%3D%20queue%20FORMAT%20%3D%20nullQueue%20Notice%20the,it%20to%20the%20indexer%29%20or%20%E2%80%98nullQueue%E2%80%99%20%28ignore%20it%29.
The correct answer is D.
The transforms.conf file is used to define field extractions and data masking rules. In this case, we want to mask Social Security Numbers (SSN) found in log events. We can achieve this using a regular expression and the FORMAT parameter to replace the SSN with a masked value. The DEST_KEY parameter is used to specify the destination field for the masked data.
Here is an explanation of the stanza:
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
Ans: D
A & B is definitely incorrect as format & dest_key are not attributes under props.conf, C is incorrect as the attribute should be REGEX instead of REX.
The confusion comes from the fact, that without props.conf, transform.conf won't work, as you have to reference the "options" from the latter in the props.conf file; but the configurations we see in the answers, are proper to transforms.conf file, and REGEX attribute is to be used in this file, not REX, so that leads us to the D answer.
Answer is D.
Please check "Using Transforms" from Data Administration training Doc.
-define the transformation in transforms.conf
-invoke the transformation from props.conf
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ugo1
Highly Voted 4 years, 7 months agoRacgud
4 years, 6 months agoRacgud
4 years, 6 months agoSplunkv
4 years, 1 month agolollo1234
4 years, 2 months agoHamiltonian
3 years, 11 months agoTeeCeeP
Highly Voted 4 years, 5 months agochkie
Most Recent 1 week, 2 days ago65aab2c
8 months agoMntman77
1 year, 11 months agokolaturka
2 years, 2 months agoMando22
2 years, 8 months agoemlch
2 years, 9 months agoalejohu
2 years, 10 months agosplunkkid
2 years, 11 months agolilsem
3 years, 9 months agockmunich
3 years, 10 months agoHudda
3 years, 11 months agoAngusBlack
3 years, 11 months agogsplunker
4 years, 4 months agohwangho
4 years, 5 months agoafroben
4 years, 6 months agoMariuszSem
3 years, 10 months ago