Im not sure if any apps currently extract fields from the aws:sqs:securityhub sourcetype. Is this as sourcetype that you have defined in your Splunk instance?
If so, does it match what you'd expect to see?
Im not familiar with this sourcetype, but is it JSON format? If so, I'd consider adding your own sourcetype and setting kvmode=json
Please Im aware all this settings and already using those in my props file its not parsing all fields properly so who ever ingested AWS data they may have experienced same issues.
so im looking more in depth answer who ever used this sourcetype ... not simple props transforms things ..