Hi!,

I have a splunk setup in which log files are being forwarded by an universal forwarder to an indexer and a search head is being used to perform the search
I have keeping the configuration files in etc/apps/app123/local in searchhead and indexer respectively.
Following are the contents of my configuration files:

On the universal forwarder:
inputs.conf (in apps/local)

[monitor:///home/abc/appLogs.txt]
sourcetype = applogs
blacklist = .(gz)$
index=main

On the search head:
props.conf

[applogs]
REPORT-parse_server=applogs
KV_MODE=none

transforms.conf

[applogs]
DELIMS = "~"
FIELDS = "Text","device_name","domain_name","OperationName","txn_id","time_stamp","FAULT","FaultCode"

On the indexer:
props.conf

[applogs]
TIMESTAMP_FIELDS = StartTimeStamp,ExitTimeStamp,App1StartTimeStamp
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%b %d %H:%M:%S
TIME_PREFIX=^
TZ=UTC
TRUNCATE=300000
pulldown_type = 1

In the search head UI raw data, I can see the events being indexed with the correct sourcetype but they are not being mapped to fields given in transforms.conf

I have ran btool against each of the config files & no issues were found. The config files are only in apps & none in system/local so it can't be a precedence issue.
I also tried by putting all configurations (props + transforms) into props.conf and keeping them in etc/app/local in searchhead and indexer.

I am not able to figure out what am I missing or where am I going wrong.
Any help will be highly appreciated.