Björn,
Thank you for the reply. This was all very useful information.
I tried populating C:\Program Files\Splunk\etc\apps\search\local with my settings for props.conf and transforms.conf, but that didn't work.
I ended up populating the settings in C:\Program Files\Splunk\etc\system\local for props.conf and transforms.conf. However, at first, this still didn't work.
The real problem was in Splunks documentation that I was using found here: Forwarding Data
Under the section, Keep specific events and discard the rest, I copied the this specific line for the profs.conf configuration:
TRANSFORMS-set= setnull,setparsing
The problem was that there needs to be a space inbetween the comma and "setparsing". This line should read like:
TRANSFORMS-set = setnull, setparsing
After adding the space, everything is working correctly now. I can't tell you how many hours I have spent trying to figure this out the last two days.
Again, thank you for your help! It is greatly appreciated.
... View more