https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347364#M93622 <P>Run the following commands on your indexer to check that Splunk finds your configuration:<BR /> /opt/splunk/bin/splunk btool props list<BR /> /opt/splunk/bin/splunk btool transforms list<BR /> Is your configuration listed here?</P> <P>Which sourcetype does your data have? If the props.conf stanza is [xyz:abc:auto] as you posted then the sourcetype of your data must be "xyz:abc:auto".</P> Tue, 19 Dec 2017 09:53:11 GMT Yunagi 2017-12-19T09:53:11Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347355#M93613 <P>hello,</P> <P>I made my Anonymize data based on this <A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Anonymizedata">http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Anonymizedata</A><BR /> and I checked it million times.<BR /> I have distributed installation and I have done this on "indexer"</P> <P>[xyz:abc:auto]<BR /> TRANSFORMS-anonymize = password-anonymizer</P> <P>[password-anonymizer]<BR /> REGEX = (?m)^(.<EM>)Password=\w+%(\w{0}[^&amp;].</EM>)$<BR /> FORMAT = $1Password=#########$2<BR /> DEST_KEY = _raw</P> Mon, 18 Dec 2017 08:11:43 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347355#M93613 ahmadjabr 2017-12-18T08:11:43Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347356#M93614 <P>The link you provided says: "The forwarded data must arrive at the indexer already parsed." Do you perhaps have a heavy forwarder in place?</P> <P>If you have a heavy forwarder in place, move your anonymization configuration from the indexers to the heavy forwarders.</P> Mon, 18 Dec 2017 08:35:46 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347356#M93614 Yunagi 2017-12-18T08:35:46Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347357#M93615 <P>Hi ahmadjabr,<BR /> can you share an example of log to anonymize, your regex isnot so clear?<BR /> Bye.<BR /> giuseppe</P> Mon, 18 Dec 2017 09:10:31 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347357#M93615 gcusello 2017-12-18T09:10:31Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347358#M93616 <P>I don't have heavy forwarder I have universal forwarder, will it work?<BR /> and universal forwarder on the windows machine</P> Mon, 18 Dec 2017 09:49:35 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347358#M93616 ahmadjabr 2017-12-18T09:49:35Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347359#M93617 <P>2017-12-18 07:42:19 10.0.1.1 GET /send.asmx/Send Username=CENTER&amp;Password=asdqweasd%23&amp;Sender=xyyzetc etcetcetectecetetctec</P> Mon, 18 Dec 2017 09:54:39 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347359#M93617 ahmadjabr 2017-12-18T09:54:39Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347360#M93618 <P>Universal forwarders do not parse the data. So keep this configuration on the indexers.</P> Mon, 18 Dec 2017 10:22:34 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347360#M93618 Yunagi 2017-12-18T10:22:34Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347361#M93619 <P>Try the following changes:</P> <PRE><CODE>[password-anonymizer] REGEX = (?m)^(.*)Password=[^%]*(.*)$ FORMAT = $1Password=#########$2 DEST_KEY = _raw </CODE></PRE> <P>Please note that this configuration belongs into transforms.conf. The other two lines you posted belong into props.conf.</P> <P>You will need to restart your indexers after making such changes.</P> <P>Also make sure that your data has the correct sourcetype assigned. (In your case, that would be "xyz:abc:auto".)</P> <P>On a more general note, I often use this website for testing purposes when dealing with regex:<BR /> <A href="https://regex101.com/">https://regex101.com/</A></P> Mon, 18 Dec 2017 10:42:11 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347361#M93619 Yunagi 2017-12-18T10:42:11Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347362#M93620 <P>Hi ahmadjabr,<BR /> try a different regex escaping = and %</P> <PRE><CODE>REGEX = (?m)^.*Password\=\w+\%.*$ </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 18 Dec 2017 10:42:59 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347362#M93620 gcusello 2017-12-18T10:42:59Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347363#M93621 <P>I found out that the indexer doesn't even do anything with the log, it's like it doesn't read the stanza I made.<BR /> and I moved it to the top but its the same nothing happened</P> Tue, 19 Dec 2017 09:38:24 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347363#M93621 ahmadjabr 2017-12-19T09:38:24Z https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347364#M93622 <P>Run the following commands on your indexer to check that Splunk finds your configuration:<BR /> /opt/splunk/bin/splunk btool props list<BR /> /opt/splunk/bin/splunk btool transforms list<BR /> Is your configuration listed here?</P> <P>Which sourcetype does your data have? If the props.conf stanza is [xyz:abc:auto] as you posted then the sourcetype of your data must be "xyz:abc:auto".</P> Tue, 19 Dec 2017 09:53:11 GMT https://community.splunk.com/t5/Getting-Data-In/Anonymize-data-is-not-working/m-p/347364#M93622 Yunagi 2017-12-19T09:53:11Z