Does it have to do with the highlighted parameter INDEXED_EXTRACTIONS,  Example:Isolation:Web doesn’t have any SEDCMDs [Example:Isolation:Web] EVAL-vendor_region = lower('region'."-".'zone') FIELDALIAS-aob_gen_Example_Isolation_Web_alias_1 = userName AS user FIELDALIAS-aob_gen_Example_Isolation_Web_alias_2 = disposition AS action FIELDALIAS-aob_gen_Example_Isolation_Web_alias_4 = categories{} AS category FIELDALIAS-aob_gen_Example_Isolation_Web_alias_5 = fileName AS file_name FIELDALIAS-aob_gen_Example_Isolation_Web_alias_6 = fileSize AS file_size FIELDALIAS-aob_gen_Example_Isolation_Web_alias_7 = fileMimeType AS http_content_type FIELDALIAS-aob_gen_Example_Isolation_Web_alias_8 = parentPageURL AS http_referrer FIELDALIAS-aob_gen_Example_Isolation_Web_alias_9 = classification AS type INDEXED_EXTRACTIONS = json AUTO_KV_JSON = 0 KV_MODE = none SHOULD_LINEMERGE = 0 TIMESTAMP_FIELDS = date category = Example Web Isolation pulldown_type = 1 local/props.onf [Example:Isolation:Url] SEDCMD-sanitize_jsessionid = s/jsessionid=[0-9A-Za z]+/jsessionid=masked_by_splunk/g SEDCMD-sanitize_url_parameter = s/([#&])(access_token|id_token)=[^\s&",]+/\1\2=masked_by_splunk/g SEDCMD-sanitize_url_parameters_password = s/([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd])=[^\s"&']+/\1=masked_by_splunk/g   ... View more