I'm pulling Exchange Activesync information from our IIS logs on OWA and I want to perform a transform on Apple devices to make readability easier (To allow us to determine which HW/SW version the user is running). It's fairly simple, but I'm new to Splunk and something isn't working quite right.
I created a props.conf file here: $SPLUNK/etc/system/local/props.conf . This file isn't complete, I just filled in a few values for testing, but the search results still show the unmodified logs.
Thanks, I decided to go with the rex/sed searching and conversion. You were right about props.conf. I was supposed to be saving this to the universal forwarder that was indexing the data, but I was saving props.conf on the actual Splunk server after the data had already been indexed.