A user has been asked to mask some sensitive data without tampering with the structure of the file /var/log/purchase/transactions. log that has the following format:

A user has been asked to mask some sensitive data without tampering with the structure of the file /var/log/purchase/transactions. log that has the following format:

A)

B)

C)

D)

A . Option A
B . Option B
C . Option C
D . Option D

View Answer

Answer: B

Explanation:

Option B is the correct approach because it properly uses a TRANSFORMS stanza in props.conf to reference the transforms.conf for removing sensitive data. The transforms stanza in transforms.conf uses a regular expression (REGEX) to locate the sensitive data (in this case, the SuperSecretNumber) and replaces it with a masked version using the FORMAT directive. In detail:

props.conf refers to the transforms.conf stanza remove_sensitive_data by setting TRANSFORMS-cleanup = remove_sensitive_data.

transforms.conf defines the regular expression that matches the sensitive data and specifies how the sensitive data should be replaced in the FORMAT directive.

This approach ensures that sensitive information is masked before indexing without altering the structure of the log files.

Splunk Cloud

Reference: For further reference, you can look at Splunk’s documentation regarding data masking and transformation through props.conf and transforms.conf. Source:

Splunk Docs: Anonymize data

Splunk Docs: Props.conf and Transforms.conf