Sorry to necro the thread but I had the same problem and fixed it.
I found that there was a part of the ...../etc/apps/Splunk_CiscoFirewalls/default/transforms.conf incorrectly defined...
I commented out the bottom REGEX and uncommented the top one. My messages are of type ASA-[etc] not ASA--[etc]. Maybe this is different across versions of the OS.
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
#REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa
[/code]
... View more