Splunk Core Certified Advanced Power User — Question 148

What is the correct example to redact a plain-text password from raw events?

Answer options

• A. in props.conf: [identity] REGEX-redact_pw = s/password=([^,|\s]+)/####REDACTED####/g
• B. in transforms.conf: [identity] REGEX-redact_pw = s/password=([^,|\s]+)/####REDACTED####/g
• C. in props.conf: [identity] SEDCMD-redact_pw = s/password=([^,|\s]+)/####REDACTED####/g
• D. in transforms.conf: [identity] SEDCMD-redact_pw = s/password=([^,|\s]+)/####REDACTED####/g

Correct answer: C

Explanation

The correct answer is C because the 'SEDCMD' directive in props.conf is used for modifying event data at index time, which is appropriate for redacting sensitive information like passwords. Options A and B incorrectly use 'REGEX' instead of 'SEDCMD', while option D is also incorrect as it places the command in transforms.conf instead of props.conf.