Hello
I am having a difficult time getting Splunk to recognize fields from my IIS 7.5 logs. I know that there are many, many posts in splunk-base regarding this - I have looked through many of them and tried the suggested answers in at least 8-10 different posts. None of them have worked for me, eventhough I don't have a custom config - just a standard IIS server with logging enabled and default fields selected. The files get indexed, but the fields are not recognized (i.e. I cannot simply search for "time-taken > 50" within the data indexed from these logs)

Here is my full config:

Splunk versions:
Client UF: 4.3.3
Intermediary UF: 4.3.3
Indexer: 4.3.4

Client UF sends data to intermediary UF, which sends it to the indexer.

My config current config (and last attempt to make this work) on the Client UF is:

C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\inputs.conf

[monitor://C:\inetpub\logs]
disabled = false
followTail = 0
sourcetype = iisw3c
index = testindex

C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\props.conf

[iisw3c]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = true
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments

C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\transforms.conf

[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue

[iisw3cfields]
DELIMS = " "
FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken

What I am doing wrong?

Thanks in advance!