Ahh ok. Can you put up your props/transforms for this sourcetype? Let's see how the extraction is configured. Thats where I think you'll need to make changes.
... View more
Update: It seems as though our Splunk ES setup was not in a great working state, so we simply performed a fresh install of Enterprise followed by the latest ES and all is well.
This can be closed now.
... View more
I also had same issue while upgrading ES from 3.3 to 4.1.
./splunk search '| testessinstall' worked for me.
Awesome and thanks for the workaround.
... View more