Either on $SPLUNK_HOME/etc/apps/{App where the source comes from}/fields.conf or $SPLUNK_HOME/etc/system/local/fields.conf, set the following configuration:
[source]
INDEXED = False
Restart Splunk.
NOTE: For Cloud users, have Support do this for you.
To my understanding, this is the reasoning behind this:
INDEXED=True
Setting this attribute to True, tells Splunk that the source has already been extracted during index-time. When we run a search with that source, Splunk will look for events that have "aws.guardduty" as their source (metadata).
INDEXED=False
Setting this attribute to False, tells Splunk that the source will need to be extracted during search-time. When we run a search with that source, Splunk will look for events that have "aws.guardduty" in their events (raw data). Otherwise, it will not find anything because the source was not extracted during index-time.
Find documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Fieldsconf
... View more