hiexam
splunk · SPLK-1003 · Q604 · multiple_choice · topic_1

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first…

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
  • A.SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
  • B.SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
  • C.SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
  • D.SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
Explanation
should be D. the \1 indicates the capture group, should come after the xxx not before

Reference: examtopics_top_comment

Practice with progress tracking

Sign in to track wrong answers, get spaced-repetition reminders, and run timed exam mode.

Start tracked practicePricing