In general case endpoint define what actions you can do for your event. But when I read again your issue, this is not your problem. I’m quite sure that @PickleRick ‘s note is valid in your case. You need to try CLONE_SOURCETYPE and then manage those transforms etc. for each individual sourcetype separately.

Just wanted to toss in another possible resolution.  If your system was ungracefully shutdown, resource exhaustion, virtualization host failure, etc. it's possible the splunkd.pid file wasn't cleaned up.  From what I have found, when splunkd attempts to start, it looks at this file and attempts various operations on the existing PIDs that are listed within.  They are obviously not there and the service will fail to start.  This will be made apparent when attempting to start splunk via the binary:  SPLUNK_HOME/bin/splunk start This file is located in SPLUNK_HOME/var/run/splunk/ and can be safely removed to correct.  A new file will be created upon splunkd service starting successfully.   

1) Please show the SPL you've tried and tell us how it failed you.  It would help to see an actual (sanitized) event, too. The options to the extract command are swapped.  kvdelim is the character that separates key from value, usually "="; pairdelim is the character that separates kv pairs, usually comma or space. 2) The props.conf file has a TRUNCATE setting that defaults to 10000.  Perhaps your system has a lower value.

I don't know off the top of my head if you can get to the PDF generation functionality from within Python - I've never tried in python and I haven't been able to find any documentation within Splunk's documentation if they officially expose those calls in their Python SDK. The PDF stuff in Splunk is based off of ReportLab, and lives in %SPLUNK_HOME%\Python-3.7\Lib\site-packages\reportlab, so you can poke aroundthere a bit to see if that helps. I wasn't finding anything obvious of Splunk-written python calling the ReportLab stuff to generate a PDF, your luck might be better. You can get a PDF generated from a REST endpoint - but do keep in mind that the overall PDF generation in Splunk is dashboard-centric, not search-centric.  So you will need to create a Dashboard that renders the results for your SID, and then have that be generated as a PDF.  Here are a few posts of people generating the PDF via a REST call which you can do from the CLI, within Python, etc.  Once you have those bytes you can send those on to where you need: Solved: Re: Generate PDF from View in REST API - Splunk Community Trigger a PDF via the command line - Splunk Community Historically the built-in PDF generation of Splunk has left something to be desired.  It's just been OK...There are some apps on Splunkbase that help with various PDF things you could look into as well: PDF Apps: https://splunkbase.splunk.com/apps?keyword=pdf     

Sorry I was not being clear in my question. The general picture is I am trying to monitor disk usage with events provided through collectd. The events being generated is in JSON format. I am looking to split Values into values0 and values1, dsnames into dsnames0 and dsnames1 because those are just the names of the index I came up with of the values inside those arrays. Values has the indexes of two numbers and dsnames has the indexes of read and write. I am trying to get the values of both read and write and be able to create aggregate functions with it. Currently I am only able to show one dsname row, it can be read or write, however, I want to be able to show both.

When asking a data analytics question, data should be the first thing to describe.  It would help a lot if you can illustrate relevant sample data (anonymize as needed but preserve necessary characteristics) in text to support your implied conclusion that Splunk is not giving you to rows.  How do you convince yourself that dsname0 must have value "write" in addition to "read" that your screenshot shows? (Pro tip: Whenever possible, illustrate result in text as well.) Ultimately, what are you trying to achieve by spliting values into values0 and values1, dsnames into dsnames0 and dsnames1?  Your stats only uses values0 and dsnames0.  Is it possible that only dsname1 contain the value "write"? Again, a clear (text) illustration of input data would clarify many of these, and not force volunteers to read your mind.

OK. Look at this: props.conf: [test_sourcetype_to_recast] #Order of transform classes i crucial! You can do the same casting multiple transforms from #one class TRANSFORMS-0_extract_host = picklerick_extract_host TRANSFORMS-1_extract_source = picklerick_extract_source TRANSFORMS-2_recast_sourcetype = picklerick_recast_sourcetype TRANSFORMS-3_drop_dead = picklerick_drop_dead [destination_sourcetype] TRANSFORMS-conditional_host_overwrite = conditional_host_overwrite TRANSFORMS-cut_most_of_the_event = cut_most_of_the_event transforms.conf: [picklerick_drop_dead] REGEX = sourcetype:destination_sourcetype DEST_KEY = queue FORMAT = nullQueue [picklerick_recast_sourcetype] REGEX = sourcetype:destination_sourcetype CLONE_SOURCETYPE = destination_sourcetype [picklerick_extract_source] REGEX = source:(\w*) FORMAT = source::$1 DEST_KEY = MetaData:Source WRITE_META = true [picklerick_extract_host] REGEX = host:(\w*) FORMAT = host::$1 DEST_KEY = MetaData:Host WRITE_META = true [conditional_host_overwrite] REGEX = desthost=(\w*) FORMAT = host::$1 DEST_KEY = MetaData:Host WRITE_META = true [cut_most_of_the_event] REGEX = .*:([^:]*)$ FORMAT = $1 DEST_KEY = _raw WRITE_META = true   Now if I do this: curl -H "Authorization: Splunk my_token" http://my_host:8088/services/collector/event -d '{"index":"test1","host":"original_host","source":"original_host","sourcetype":"test_sourcetype_to_recast","event":"sourcetype:destination_sourcetype,source:destination_source,host:host1,source:source1:event:desthost=destination_host:This should be left at the end"}'  I will get this in my index As you can see, the original values of source and host fields posted with the event to HEC were completely discarded and were rewritten from the contents of the event. Then the event was cloned as the "destination_sourcetype" sourcetype when the host field was again rewritten, this time with the value provided in the "desthost=" part of the event. And finally the original event was discarded and the cloned event was cut short to leave only the part from the last semicolon till the end. Kinda ugly, kinda complicated. I'm not sure if you couldn't do similar thing with ingest actions by the way. But I'm no expert with those. One thing though - there is something not entirely right with the cloning transform because it seems to be cloning all events, not just those matching regex. I suppose that transform is lacking something. EDIT: Argh. I can point myself to my own post: https://community.splunk.com/t5/Getting-Data-In/Use-CLONE-SOURCETYPE-only-for-matching-events/m-p/667300/highlight/true#M111919 CLONE_SOURCETYPE is always applied to all events. So you'd have to further filter cloned/non-cloned events to only leave matching ones in the proper pipeline. Getting more and more complicated. Maybe it's worth fighting to get the data in a reasonable format?

Thanks for your response:  I am using c count since each user may have multiple success or failure events. When I choose "Visualization", "pie", the pie renders as one metric. However, below the pie, I can see the numbers for both events are correct. Somehow the pie does not reflect the numbers.  

None of those.  The SEDCMD setting must be on the indexer(s) and/or heavy forwarders.  It should go in the stanza where the sourcetype it goes with resides (if the file is in a default stanza then put the setting in the associated local directory).