I thought I would comment and provide the solution for this in case other community users run into a similar problem. I was able to get this working by specifying source::<source> in props.conf rather than the index name. Index names are not supported in props.conf, the existing entries we had which I thought were operating on index name were actually operating on the sourcetype which had been set on the Universal Forwarder client in inputs.conf with a name similar to the index name. https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf <spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
3. source::<source>, where <source> is the source, or source-matching
pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
source type classification rule.
These are only considered as a last resort
before generating a new source type based on the
source seen. The correct entry for props.conf is: [source::/var/log/firewall/firewall_test.log] TRANSFORMS-ngfw-drop-non-si-events = allsetnull, ngfw_si_events_whitelist The correct entries for transforms.conf are: [allsetnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [ngfw_si_events_whitelist] REGEX = (URLSICategory|DNSSICategory|IPReputationSICategory) DEST_KEY = queue FORMAT = indexQueue
... View more