Splunk Core Certified Advanced Power User — Question 105

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Answer options

• A. SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
• B. SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
• C. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
• D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Correct answer: D

Explanation

Option D is correct because it replaces the first three digits of AcctID with 'xxx' while preserving the last four digits using the capture group \\1. Options A and B are incorrect as they do not address the AcctID field properly. Option C mistakenly places the captured digits after 'xxx', which does not achieve the desired output.