INDEXED_EXTRACTIONS, Universal Forwarder & Splunk Cloud

zapping575 — Wed, 29 Apr 2026 09:38:20 GMT

One of my sourcetypes is a CSV file (with CSV header)

I was using this sourcetype stanza in props.conf:

[foo_bar] INDEXED_EXTRACTIONS = csv TIME_FORMAT = %Y%m%d%H%M%S%Q TIMESTAMP_FIELDS = Year,Month,Day,Hour,Minute,Second,Seq HEADER_FIELD_LINE_NUMBER = 1 HEADER_FIELD_DELIMITER = ; FIELD_DELIMITER = ; SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) REPORT-foo_bar-default = sourcefields-default

I have come to notice that with splunk cloud, the indexed extractions are apparently no longer being applied. While the sourcetype is correctly assigned and the REPORT is also being applied, the actual indexed extraction does not take place. When I run a search for sourcetype foo_bar, I cannot see any of the fields defined by the CSV header. I also made sure the CSV header is actually present.

My setup is like this:

(1) Universal Forwarder -> (2) Universal ("Intermediate") Forwarder -> (3) Splunk Cloud

I tried applying these settings at both (1) and (3). In both cases it did not work.

Am I missing out on something?

Re: INDEXED_EXTRACTIONS, Universal Forwarder & Splunk Cloud

zapping575 — Wed, 29 Apr 2026 15:57:56 GMT

Rather unsurprisingly, this was another case of PEBKAC.

Changing the value of

HEADER_FIELD_LINE_NUMBER

back to 0 did the trick.

props.conf on the UF:

[source:://my.csv] INDEXED_EXTRACTIONS = csv TIME_FORMAT = %Y%m%d%H%M%S%Q TIMESTAMP_FIELDS = Year,Month,Day,Hour,Minute,Second,Seq HEADER_FIELD_LINE_NUMBER = 0 HEADER_FIELD_DELIMITER = ; FIELD_DELIMITER = ; SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) sourcetype = foo_bar

props.conf on my local stand alone instance:

[foo_bar] REPORT-foo_bar-default = sourcefields-default

topic Re: INDEXED_EXTRACTIONS, Universal Forwarder & Splunk Cloud in Getting Data In

INDEXED_EXTRACTIONS, Universal Forwarder & Splunk Cloud

Re: INDEXED_EXTRACTIONS, Universal Forwarder & Splunk Cloud