Hi
Splunk best practices advise that you don’t edit any files in the default folder, but to create a new configuration file in the corresponding local folder, if one doesn’t already exist. The problem with making changes to the default folder is that any changes may be overwritten when a new version of Splunk, or a new version of the app is installed. Configuration file maintenance is covered in the Admin documentation here - http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Aboutconfigurationfiles
One problem with your original transforms.conf is the duplication of the [discard_events] stanza, the stanza names need to be unique. I suspect you ended up with just the final occurrence of the stanza being recognised by Splunk. There is a command line utility called btool - http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations - that, amongst other things, allows you to troubleshoot configuration file issues or see what values are being used by your Splunk Enterprise installation.
Enjoy your Splunk journey.
... View more