Can you please explain how to do the field extraction?

Hi taskar - I'm seeing similar behavior in my environment. Running the incident modular input locally on 1 search head in my SHC running ITSI instead of running it from my heavy forwarder is how i've got it working currently.  I'm 7.3.3 on-prem RHEL7 instances with ITSI 4.4.3 and 6.0.0 snow_ta installed to HF, indexer cluster & search head cluster. I'm curious if you're same version of TA & where props that seem to be good OOTB needed a tweak if you're collecting data from heavy forwarder since that's where it should be running and won't work for me.  Really cool to update SNow ticket and get ITSI episode updated but not sure it's so cool to have to run it this way to make it work. Any help you could provide would be greatly appreciated. Thanks

We are running on the same version as you. We just did a workaround on the correlation search in ITSI SH cluster to extract the needed kv-pair

| extract pairdelim=",", kvdelim="=", auto=f, limit=200, mv_add=t