Exam SPLK-1005 topic 1 question 5 discussion

props.conf does NOT support the REGEX, DEST_KEY or FORMAT stanza properties.

To mask sensitive data in the log file without altering its structure, the configuration must use props.conf and transforms.conf together. Here's why B is correct: In props.conf: The stanza [source::/var/log/purchases/transactions.log] applies the transformation rule (TRANSFORMS-cleanup) to the specified source file. It references the transforms.conf stanza remove_sensitive_data. In transforms.conf: The REGEX matches the sensitive data pattern: (SuperSecretNumber=)\d{12}. The DEST_KEY = _raw ensures that the masking is applied directly to the raw event data. The FORMAT = $1xxxxxxxxxxxx replaces the sensitive number with a masked version (xxxxxxxxxxxx) while preserving the prefix (SuperSecretNumber=), maintaining the structure of the log.

B, but REGEX is wrong because is omitting the first part of the event.

Option B is the correct approach because it properly uses a TRANSFORMS stanza in props.conf to reference the transforms.conf for removing sensitive data. The transforms stanza in transforms.conf uses a regular expression (REGEX) to locate the sensitive data