I'm a little late to the party, but for those with a distributed deployment using a Heavy Forwarder for collecting and forwarding the Duo logs, here is what I had to do to fix this issue: I don't have the Duo app on the indexers. On the heavy forward, I kept the default configurations in props.conf. On the search head cluster in props.conf, I set: [source::duo]
KV_MODE = none
AUTO_KV_JSON = false You could unset INDEXED_EXTRACTIONS but since these are dedicated search heads, it isn't really necessary. That's it. Note that if you want this to work outside of the Duo app context (i.e. not have the duplicate field extractions when searching Duo logs in the Search app) then you need to set the Duo apps permissions to global.
... View more