Exam SPLK-5001 topic 1 question 59 discussion

Actual exam question from Splunk's SPLK-5001

Question #: 59
Topic #: 1

While testing the dynamic removal of credit card numbers, an analyst lands on using the rex command. What mode needs to be set to in order to replace the defined values with X?
| makeresults
| eval ccnumber="511388720478619733"
| rex field=ccnumber mode=??? "s/(\d{4}-){3)/XXXX-XXXX-XXXX-/g"
Please assume that the above rex command is correctly written.

A. sed
B. replace
C. mask
D. substitute

Show Suggested Answer

Suggested Answer: A 🗳️

by nosavotor at Sept. 26, 2024, 9:13 p.m.

Comments

Submit Cancel

christophe_ciwr

7 months, 3 weeks ago

A https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples

upvoted 1 times

...

CeeCapi

8 months ago

A. sed is correct. In Splunk, setting mode=sed with the rex command allows the use of sed-style substitution to replace matched patterns with specified values, such as replacing parts of a credit card number with "X". The sed mode is specifically designed for search-time string replacements and masking sensitive data. So, the correct syntax would be: | makeresults | eval ccnumber="511388720478619733" | rex field=ccnumber mode=sed "s/(\d{4}-){3}/XXXX-XXXX-XXXX-/g"

upvoted 2 times

...

Nss_dfir

9 months ago

Selected Answer: C

To replace defined values with "X" using the rex command in Splunk, you should set the mode to C. mask. Using the mask mode will ensure that the credit card number is masked as intended.

upvoted 1 times

...

nosavotor

9 months, 1 week ago

Someone please verify the accuracy of this answer

upvoted 1 times

...