https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519678#M87863 Recall that btool shows the configuration on disk. Did you restart Splunk after changing the config files? Tue, 15 Sep 2020 12:48:07 GMT richgalloway 2020-09-15T12:48:07Z https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519664#M87857 <P><SPAN>&nbsp;Hi,</SPAN>I am trying to remove some of the sensitive information to be indexed by Splunk.</P><P>But these configurations are not working ,even after getting the configuration reflected over btool and validating the regex over SPL.</P><P><SPAN>Anyone can assist?</SPAN></P><P><FONT color="#3366FF"><STRONG>props.conf</STRONG></FONT><BR /><STRONG>[o365:management:activity]</STRONG><BR /><STRONG>TRANSFORMS-anonymize = info-anonymizer</STRONG><BR /><STRONG>KV_MODE = json</STRONG><BR /><STRONG>TRUNCATE = 10485760</STRONG></P><P><FONT color="#3366FF"><STRONG>transforms.conf</STRONG></FONT><BR /><STRONG>[info-anonymizer]</STRONG><BR /><STRONG>DEST_KEY = _raw</STRONG><BR /><STRONG>FORMAT = $1$2</STRONG><BR /><STRONG>REGEX = (.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(\"ResultsTruncated\"\:.*)</STRONG></P><P><BR />Have already Validated regex over SPL, It is working fine.</P><P><STRONG>|regex _raw="(.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(\"ResultsTruncated\"\:.*)"</STRONG></P><P>and</P><P><STRONG>|rex field=_raw "(?&lt;before&gt;.*\"SensitiveInformationDetections\"\:\s\{)\"DetectedValues\"\:\s\[.*\]\,\s(?&lt;after&gt;\"ResultsTruncated\"\:.*)"</STRONG><BR /><STRONG>|eval _raw=before+""+after</STRONG></P> Tue, 15 Sep 2020 11:36:48 GMT https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519664#M87857 payal4296 2020-09-15T11:36:48Z https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519678#M87863 Recall that btool shows the configuration on disk. Did you restart Splunk after changing the config files? Tue, 15 Sep 2020 12:48:07 GMT https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519678#M87863 richgalloway 2020-09-15T12:48:07Z https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519711#M87873 <P>Yes have restarted the splunk service after applying changes to the conf files.&nbsp;</P><P>Actually it did worked on Friday ,the day changes were applied but it is not working after that .</P> Tue, 15 Sep 2020 14:25:43 GMT https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519711#M87873 payal4296 2020-09-15T14:25:43Z https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519728#M87877 <P>So the key is to find out what changed since Friday.&nbsp; Use btool to verify the configuration is still in place on your indexers/heavy forwarders.</P> Tue, 15 Sep 2020 14:47:25 GMT https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519728#M87877 richgalloway 2020-09-15T14:47:25Z https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519742#M87880 <P>But nothing have changed, the configurations are same in btool.</P> Tue, 15 Sep 2020 15:39:18 GMT https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519742#M87880 payal4296 2020-09-15T15:39:18Z https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519755#M87884 <P>Something must be different.&nbsp; If not the configuration then something else.&nbsp; Could the format of the data have changed since Friday?&nbsp; Perhaps a change was made on the source over the weekend.</P> Tue, 15 Sep 2020 16:40:05 GMT https://community.splunk.com/t5/Getting-Data-In/Masking-sensitive-information-from-event/m-p/519755#M87884 richgalloway 2020-09-15T16:40:05Z