We are using the Splunk Add-on for Microsoft IIS, and I am running into an odd issue where the renames are not working. We are running the add on with splunk enterprise 7.2. The original fields are coming in fine, but the renames to the CIM compliant names are not taking place. Particularly having this issue with cs_Referer and cs_User_Agent. Here is my transforms and props entries:

TRANSFORMS.CONF:
[auto_kv_for_iis_default_IFS1]
DELIMS = " "
FIELDS = date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs_User_Agent cs_Referer sc-status sc-substatus sc-win32-status time-taken

[iis_action_lookup]
filename = iis_action_lookup.csv

PROPS.CONF:
[IFS:http_server]
MAX_TIMESTAMP_LOOKAHEAD = 23
SHOULD_LINEMERGE = false
REPORT-auto_kv_for_iis_default_IFS1 = auto_kv_for_iis_default_IFS1

LOOKUP-iis_action_lookup = iis_action_lookup status OUTPUT action

FIELDALIAS-cs_username = cs_username as user
FIELDALIAS-cs_User_Agent = cs_User_Agent as http_user_agent, cs_User_Agent_ as http_user_agent, 'cs(User-Agent)' as http_user_agent
FIELDALIAS-cs_uri_stem = cs_uri_stem as uri_path
FIELDALIAS-cs_uri_query = cs_uri_query as uri_query
FIELDALIAS-TimeTakenMS = TimeTakenMS as duration, TimeTakenMS as response_time, time_taken as duration, time_taken as response_time
FIELDALIAS-sc_status = sc_status as status
FIELDALIAS-s_sitename = s_sitename as site
FIELDALIAS-s_ip = s_ip as dest_ip, s_ip as dest, s_ip as dvc
FIELDALIAS-s_port = s_port as http_port, s_port as dest_port, s_port as port
FIELDALIAS-s_computername = s_computername as host
FIELDALIAS-RequestsPerSecond = RequestsPerSecond as hits_per_second
FIELDALIAS-cs_Referer = cs_Referer as http_referrer, cs_Referer_ as http_referrer, cs_Referer as http_referer, cs_Referer_ as http_referer, 'cs(Referer)' as http_referer
FIELDALIAS-cs_method = cs_method as http_method
FIELDALIAS-cs_Cookie = cs_Cookie as cookie, cs_Cookie_ as cookie
FIELDALIAS-c_ip = c_ip as src_ip, c_ip as src
FIELDALIAS-sc_bytes = sc_bytes as bytes_out
FIELDALIAS-cs_bytes = cs_bytes as bytes_in

EVAL-http_user_agent_length = len(http_user_agent)
EVAL-bytes = bytes_in + bytes_out
EVAL-web_server = host . ":" . site
EVAL-vendor = "Microsoft"
EVAL-product = "Internet Information Services (IIS)"
EVAL-vendor_product = "Microsoft Internet Information Services (IIS)"
EVAL-app = "Microsoft Internet Information Services (IIS)"
EVAL-url = if((isnotnull(case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) AND isnotnull(s_ip) AND isnotnull(s_port) AND isnotnull(cs_uri_stem) ), (case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) . "://" . s_ip . ":" . s_port . cs_uri_stem . if(isnull(cs_uri_query) OR (cs_uri_query =="-"), "", "?" + cs_uri_query), "")
EVAL-url_length = len(if((isnotnull(case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) AND isnotnull(s_ip) AND isnotnull(s_port) AND isnotnull(cs_uri_stem) ), (case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) . "://" . s_ip . ":" . s_port . cs_uri_stem . if(isnull(cs_uri_query) OR (cs_uri_query =="-"), "", "?" + cs_uri_query), ""))
EVAL-role = "web_server"

pulldown_type = true
description = Log files produced by Microsoft IIS W3C log files (search-time field extraction)
category = Web
DATETIME_CONFIG =
NO_BINARY_CHECK = true
disabled = false

Thank you for your help.
Andrew