ExamGecko
Search Search Login
Home Home / Splunk / SPLK-1003
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Which is a valid stanza for a network input?
In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?
What are the minimum required settings when creating a network input in Splunk?
Consider the following stanza in inputs.conf: What will the value of the source filed be for events generated by this scripts input?
Local user accounts created in Splunk store passwords in which file?
Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)
Running this search in a distributed environment: On what Splunk component does the eval command get executed?
User role inheritance allows what to be inherited from the parent role? (select all that apply)
Which of the following Splunk components require a separate installation package?

Question 164 - SPLK-1003 discussion

Report
Export

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do t/1 /2nsure that the masking takes place successfully?

A.
Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.
Answers
A.
Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.
B.
For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.
Answers
B.
For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.
C.
Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.
Answers
C.
Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.
D.
Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.
Answers
D.
Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.
Suggested answer: D

Explanation:

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

According to the Splunk documentation1, to mask sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file and the REGEX attribute in the transforms.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing, while the REGEX attribute defines a regular expression to match the data to be masked. You need to place these files on the Splunk instance that parses the data, which is usually the indexer or the heavy forwarder2. The universal forwarder does not parse the data, so it does not need these files.

For source A, the data is routed through a heavy forwarder, which can parse the data before sending it to the indexer. Therefore, you need to place both props.conf and transforms.conf on the heavy forwarder for source A, so that the masking takes place before indexing.

For source B, the data is routed directly to the indexer, which parses and indexes the data. Therefore, you need to place both props.conf and transforms.conf on the indexer for source B, so that the masking takes place before indexing.

Show Answer
asked 23/09/2024
Ola Magnus Sundlisæter
36 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms