Hi I am trying to transform a couple of strings that are being capture in my Splunk logs The string are similar to this {"Key":"Authorization","Value":["Basic EAAAALhzFAxssvST1j4jBCAynyb3F9kHsHFWvijwNkuBb3pnY0zFtrz61YPlxQkP73l9p9ZusdBBfjSrDXgueEipT8xUuRk3tFPIAnmwFbGxluvRa3szorgtEq6VDXuIZL9RgA=="]},{"Key":"Authorization-Token","Value":["BCDC62F494410A7ABAE80457C9566F37"]}] I have tested the following regex expressions with a couple of tools, and they seem to match "Authorization","Value":\["(Basic)\s[a-zA-Z0-9+\/]+={0,2}" "Authorization-Token","Value":\["[a-zA-Z0-9+]+" I have the following in my $SPLUNK_HOME/etc/system/local/props.conf file [someapp] TRANSFORMS-anonymize = authorization-anonymizer, authorization-token-anonymizer And the following in my $SPLUNK_HOME/etc/system/local/transforms.conf file `[authorization-anonymizer] REGEX = "Authorization","Value":["(Basic)\s[a-zA-Z0-9+\/]+={0,2}" FORMAT = $1"Value":["Basic ##############################################################################################################################$2 DEST_KEY = _raw [authorization-token-anonymizer] REGEX= "Authorization-Token","Value":["[a-zA-Z0-9+]+" FORMAT = $1"Value":["############################$2 DEST_KEY = _raw` The intention is to replace the strings with # characters, but I clearly have misunderstood something, as the strings are not changing Could anyone help at all ? Thanks _scott ... View more