I've installed Splunk Add-on for Windows and Splunk Add-on for Unix and Linux in the Heavy forwarder. I only edited inputs.conf file with the routes I want to monitor, but whit the sourcetype linux_secure and bash_history, when I check on my Splunk Cloud the are no fields like "src", "dest", etc. I'm missing something? Any ideas how to resolve this?
The src and dest field extractions take place at search time, so you have to put a ticket in and request that Splunk install the add-ons on to your Splunk Cloud environment. If you look in the Splunk_TA_nix, you'll see the props.conf has a bunch of FIELDALIAS settings, which, if you refer to https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings, you will see that FIELDALIAS is a search time configuration.