It's pretty straight-forward:

field1=value1 field2=value2 field3=value3

The sourcetype is configured with KVMODE=auto. We also have an app on the search-head, which also does extractions against this sourcetype, using transforms. IMO, the app isn't needed, unless there's some need for it with CIM/ES, which I'm really just getting familiar with.

Yea...def straightforward. My guess is your hunch: a case of over engineering. While they may have considered it benign, it def would produce redundant processing and marginally slow down the Search Head processing.

If I were you, here's what I would do to validate:

• Export a sample of the data to my local sandbox and index it there showing that the name/value pairs are available out of the box
• Comment out the related reference to the transforms that exists in props (but not the transforms itself as it might be used by other sourcetypes) and see if it still works
• Change KV_MODE from auto to auto_escaped. See props.conf.spec

To be safe, you might as well share what the transforms is. You mentioned KV_MODE which is props. But let's be sure about what the purpose of the related transforms is.

Also, it could be the case that in your environment, someone erroneously edited the default KV_MODE thereby obligating any sourcetype to need such over-the-top extra config.