ExamTopics Logo
Mail Us[email protected]
Menu
Splunk Discussions
exam questions

Exam SPLK-1003 All Questions

View all questions & answers for the SPLK-1003 exam
Go to Exam

Exam SPLK-1003 topic 1 question 100 discussion

Actual exam question from Splunk's SPLK-1003
Question #: 100
Topic #: 1
[All SPLK-1003 Questions]

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

  • A. SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
  • B. SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
  • C. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
  • D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by loky0 at Aug. 27, 2021, 6:34 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Seba0297
1 month ago
Selected Answer: D
"SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g" follows the SEDCMD rule "s/<regex>/<replacement>/<flags>" In this case we are re-writing AcctID with three 'x', appending then the first (and only one) capture group, made of 4 digits
upvoted 3 times
...
Pacheco
9 months, 3 weeks ago
Right answer is D
upvoted 2 times
...
loky0
10 months ago
should be D. the \1 indicates the capture group, should come after the xxx not before
upvoted 4 times
ucsdmiami2020
9 months, 1 week ago
Confirmed via Splunk docs https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata Scrolling down to the section titled "Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago