I have a process setup in the Data Curator app that will periodically go through your data and update a lookup that has sourcetypes and field names. This was done pre KV stores which would be a better process /shrug. At any rate the base query is

earliest=-45s index=asc_tech | regex sourcetype!="(-\d+$|-too_small$)" | dedup sourcetype | fields - _raw date_* index linecount punct eventtype time*pos splunk_server timestamp host source tag* _* | foreach * [eval <<FIELD>> = if(isnotnull('<<FIELD>>'), sourcetype, null())] | stats values(*) as * | transpose | rename "row 1" as sourcetype column as field | makemv delim=" " sourcetype | mvexpand sourcetype | where field!="sourcetype"

With the lookup method the data is quick go through and the process to keep it update runs in the background. With that in place I've done thing like compare the fields to what is called out in the CIM etc. For example (link)