In general I use at bare minimum these 6 props settings. I almost always have the should line merge to false, so I not really sure how the specific this setting applies to the pipeline, and how it affects the searchTimeExtractions transform. Feel free to knowledge transfer 😁 I try to avoid line merging for performance issues, and  just try to make more complex line breakers to account for multi lines. SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TRUNCATE= MAX_TIMESTAMP_LOOKAHEAD= TIME_FORMAT= TIME_PREFIX=     For the delete command you could do something like this in the PROPS file, again I am not to familiar of the deeper level difference between nullQueue vs SEDCMD. Feel free to show me some pros and cons of either:   SEDCMD-removeHeaders = s/name,number,colour//g     ... View more

@dperry  I think it's a bit more nuanced than putting the props and transforms files on all the indexers.  The first question you really want to ask yourself before you do this, when do you want your extractions to take place. In the most general sense, you can put both files on almost all Splunk server instances. But not all the settings will take affect or make sense. Do you want INDEX time extractions OR SEARCH time extractions.    INDEX time extractions: Are done prior to indexing and will increase license cost.  Moves the processing load to the indexer side(when data comes in) If you want indexed extractions : Add something like this to your props and deploy them to the HF/UF(initial index time processing node) depending on how your architecture is setup.  Props: INDEXED_EXTRACTIONS = CSV *************************************************************************************************Important caveat, forwarded structured data is not parsed at the indexer. This needs to be done a the forwarding level: https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Caveats_for_routing_and_filtering_structured_data *************************************************************************************************   SEARCH time extractions: Are done at search time on the Search heads. If many users are using search heads moves the processing load to search time, and may affect search performance.  No additional license cost. If you want search-time extractions : Add something like this to your props and transforms, and deploy to your processing node AND search head (You could split up the configs and deploy parts of the required configs to each server but for simplicity just deploy the same package everywhere. The REPORT vs TRANSFORMS is used to control index time vs search time extractions).  Assume the simplified source file is like this, and your values don't have commas within them: name,number,colour bob,34,red sam,23,blue gary,4,cyan Props: [yourSourcetype] ... All your other settings ... KV_MODE=none TRANSFORMS-deleteHeader = deleteHeader REPORT-searchTimeExtractions = searchTimeExtractions Transforms: [deleteHeader] REGEX=name,number,colour DEST_KEY = queue FORMAT = nullQueue [searchTimeExtractions] REGEX=^(?<name>[^,]*?),(?<number>[^,]*?),(?<colour>[^,]*?)[\n\r]   Link to props docs, explaining the difference between REPORT and TRANSFORMS: https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Propsconf Link to the sequence of search time operations in Splunk: https://docs.splunk.com/Documentation/Splunk/8.1.0/Knowledge/Searchtimeoperationssequence   ... View more