I'll mark this as the answer as it's definitely a viable solution, even though I won't be using it myself due to other considerations.
I'll likely make a solution using the Splunk SDK.
Thanks for your time 🙂
For others looking at this rich7177 links to a description of the collect command which you can use to achieve what woodcock describes:
eventtypetag="download" | collect index=downloadcount
This will basically duplicate the events into the defined index, with some changes to source and sourcetype (and raw perhaps, as woodcock writes).
... View more