Splunk Core Certified Advanced Power User — Question 50

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?

Answer options

• A. props.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)
  quot; FORMAT = $1<SSN>###-##-$2 KEY = _raw
• B. props.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)
  quot; FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
• C. transforms.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)
  quot; FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
• D. transforms.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)
  quot; FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw

Correct answer: D

Explanation

The correct answer is D because it specifies the transforms.conf file and uses the REGEX option, which is appropriate for masking sensitive data like SSNs. Options A and B incorrectly use props.conf, which is not suitable for this task, while option C uses REX instead of REGEX, making it incorrect for the required masking configuration.