Here are the inputs, props and transforms for your set up. The inputs.conf goes onto the wherever your UniversalForwarder is installed. The others go on to the indexer/search, you need to put the stanzas to eliminate headers in place before you index the data, the field extractions are only applied at search time.
Tested on versions 5.0.3 and 5.0.5
Happy Splunking !
<< inputs.conf >>
[default]
host = WEBSERVER
[monitor://C:\webknight/App.*]
sourcetype=webknight
index=webknight-index
disabled=0
<< props.conf >>
[source::C:\webknight/App.*]
sourcetype=webknight
[webknight]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE=false
REPORT-webknightextract = webknight_extractions
TRANSFORMS-t1=eliminate_header
<< transforms.conf >>
[webknight_extractions]
DELIMS=";"
FIELDS=WAFDate,WAFTime,WAFInst,WAFEvent,WAFIPA,WAFUser,WAFHost,WAFAgent,WAFAdditions1
[eliminate_header]
REGEX=^(?:#Software:|#Date:|#LogTime:|#Fields:)\s
DEST_KEY=queue
FORMAT=nullQueue
... View more