I've edited your question so that others can be helped here... Initially it seemed as if you weren't getting the data in, but in the end you're describing a problem with extracting the fields.

The fields are there but the app you're using isn't accounting for the syslog header. (the Squid App for Splunk Enterprise seems to have been updated in 2011 and not again...)

Also it's also counting on certain values being present in order to pick up the fields.. Look at the transforms.conf in the app and you'll see that the regex is not going to match your events.
So if you like, you can change the props.conf from:
REPORT-squid = squid
to

EXTRACT-squid =  \(squid-1\):\s+(?P<epoch_time>\d+\.\d+)\s(?P<duration>\d+)\s(?P<clientip>[^\s]+)\s(?P<action>[^\/]+)\/(?P<http_status>\d{3})\s(?P<bytes>\d+)\s+(?P<method>[^\s]+)\s(?P<uri>[^\s]+)\s(?P<unknown_value>[^\s]+)\s(?P<hierarchy_code>[^\/]+)\/(?<server_ip>\d+\.\d+\.\d+\.\d+)\s(?P<content_type>.+)

And you'll be able to get the fields. Or if you feel comfortable, you can alter the transforms, conf and use the regex I've given you (removing or accommodating for the FORMAT directive.

Note the savedsearches.conf in the app... all searches hang on the presence of the action field. You probably didn't have any fields.
action=* means... pull only events where the action field exists... that would be 0 until you extract the field.