| collect index='indexname' sourcetype='sourcetypename'   works fine..i  just tried it ... View more

I will try the xml solution and report back ... View more

Yes, I agree that this is such a useful solution.  The following are screenshots to replicate the exact effect as kristian_kolb's original intent: 0. Edit file knownips.csv as desired Upload CSV file in "Lookups -> Lookup table files -> Add new". (Example file name: knownips.csv)   Define lookup in "Looksup -> Lookup definitions -> Add new".  Select the file you uploaded, e.g., knownips.csv.  Check "Advanced options", scroll down to "Match type", enter CIDR(clientip), clientip being the field name used to match input. (Example lookup name: checkip.) Add automatic lookup in "Lookups -> Automatic lookups -> Add new".  Select the lookup name you give above (the prompt is "Lookup table"), then type clientip as the first entry in "Lookup input fields", then type clientip after equal sign (=).  Here, the first box is the field used for comparison in the table, the second box is the field used for lookup in input. (Example automatic lookup name: check; example sourcetype: access_combined)     ... View more

Splunk adds key-value pairs. Unless you have a very specific (and unusual) situation, index time field extraction will not improve performance. However, it is more complex, more error-prone and inflexible. This is why Splunk strongly encourages you to use search time field extractions. Index time field extraction is not faster - with very rare exceptions. Do not use it unless you must. Splunk field extractions and Splunk indexing are not the same as relational database indexes. They are not remotely equivalent from a functional configuration perspective. Did I say "don't use index time field extraction" often enough? I can say it again... Also see this answer: Search-time versus index-time field extractions ... View more