Sophos events not "sourcetyped" according to inputs.conf

Hello to the community! I am trying to index Sophos events into Splunk but I am facing a problem. I have set up the XML file of the Sophos Reporting Interface, I have all the logs exported to a folder monitored by Splunk forwarder, but I cannot force the sourcetypes to get mapped according to this article: http://docs.splunk.com/Documentation/AddOns/latest/Sophos/Configureinputs. I have edited inputs.conf and transforms.conf but no luck till now. I get the sourcetypes of: DefaultCommonEvents-2 7 46.667% AppControl-too_small 5 33.333% DefaultThreats-2 2 13.333% ThreatInstances-too_small 1 6.667% My inputs.conf: [WinEventLog://Sophos Patch] disabled = 1 checkpointInterval = 5 current_only = 0 start_from = oldest sourcetype=WinEventLog:SophosPatch [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ThreatInstances.log] disabled = 0 sourcetype=sophos:threats [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\WebData.log] disabled = 0 sourcetype=sophos:webdata [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\Firewall.txt] disabled = 0 sourcetype=sophos:firewall [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\AppControl.log] disabled = 0 sourcetype=sophos:AppControl [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DeviceControl.txt] disabled = 0 sourcetype=sophos:devicecontrol [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\TamperProtection.log] disabled = 0 sourcetype=sophos:tamperprotection [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\DataControl.txt] disabled = 0 sourcetype=sophos:datacontrol [monitor://C:\Program Files (x86)\Sophos\Reporting Interface\Log Files\ComputerData.log] disabled = 1 sourcetype=sophos:computerdata And props.conf: [host::uni-sepm-01] TRANSFORMS-force_sourcetype = all_sourcetype_sec [source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\ThreatInstances.log] TRANSFORMS-force_sourcetype = all_sourcetype_sec [source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\WebData.log] sourcetype = sophos:webdata [source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\Firewall.txt] sourcetype = sophos:firewall [source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\AppControl.log] sourcetype = sophos:appcontrol [source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DeviceControl.txt] sourcetype = sophos:devicecontrol [source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\TamperProtection.log] sourcetype = sophos:tamperprotection [source::C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DataControl.txt] sourcetype = sophos:datacontrol [source::...ComputerData.sophos] sourcetype = sophos:computerdata And finally quoting relevant path of transforms.conf: # Force all data to sourcetype, useful under a host:: stanza in props.conf [all_sourcetype_sec] DEST_KEY = MetaData:Sourcetype REGEX = (.) FORMAT = sourcetype::sophos:sec Can anyone help? Thanks in advance!