This happens in one of newly installed 10.0.1 instances.  The only data ingested is tutorialdata.zip from Splunk Tutorial.  The tutorial exercises on fields like action, productId, etc.  But this instance gives none of them.  After some long diagnosis, I found the culprit: The search command doesn't perform default key-value extraction in raw events.  Even if I force an extract command in search like this,

sourcetype=access_combined_wcookie
| extract kvdelim== pairdelim=&

those fields are still not extracted:

Only when I force the same pairdelim + kvdelim directly on url_query like this

sourcetype=access_combined_wcookie
| rename _raw as temp
| rename uri_query as _raw
| extract kvdelim== pairdelim=&

will this instance extract those fields:

How can I find the root cause?

Additional data points:

• If I remove kvdelim== pairdelim=& from extract command, those fields can no longer be extracted even from url_query.
• Automatic extraction with transform access-extraction (i.e., REPORT-access = access-extractions) works just fine on sourcetype access_combined_wcookie. Otherwise fields like clientip and url_query will not be available.
• I tested tutorialdata.zip in several other instances including a new 10.0 instance on Macbook.  No such problem exists.