The documentation shows that a Netcool flat file gateway is needed. I am assuming the netcool flat file gateway will produce a file that will be ingested by the forwarder. How does Splunk know to automatically the schema changes for alerts.status?
the sample gateway .props creates a '!' delimited key/value flatfile. each alerts.status action dumps all values for that row. the TA-tivoli_netcool_object_server then parses all key/value pairs via KV_MODE = auto_escaped.
