I'm not sure if I'm missing something simple or not, but I've got event logs from my Salesforce instance fed in, as well as the User object, and for some reason I can aggregate on some fields of User but not others ... even though the fields exist in Splunk.

index=sfdc sourcetype=LightningPageViewCSV
|join USER_ID [ search sourcetype=sfdc:user | eval USER_ID=substr(Id,1,len(Id)-3) ]
|stats avg(EFFECTIVE_PAGE_TIME) by Name

// this works to aggregate by the user's name. Not really useful but it was a test to make sure something came through. The substring is b/c one object uses the 18-char Salesforce Id, the other uses the shortened 15-char Id. 

index=sfdc sourcetype=LightningPageViewCSV
|join USER_ID [ search sourcetype=sfdc:user | eval USER_ID=substr(Id,1,len(Id)-3) ]
|stats avg(EFFECTIVE_PAGE_TIME) by State__c,Loc__c

//no results from this for some reason ... State__c and Loc__c are custom fields on User.

index=sfdc sourcetype=sfdc:user
index=sfdc sourcetype=sfdc:user Name="[one of the names from the first query]"

//I run these just to see what I've got in my user object and I can see several people with non-null State__c and Loc__c

This is a new dev org I just spun up so I'm not sure if I missed a step in adding these sources or not. The LightningPageViewCSV is an imported static CSV file of the EventLogFile for testing. The sfdc:user was a one time read in of the User object. Both of these are tied to the sfdc index.