SOLVED: I installed the Splunk for Cisco Firewalls app (and the Splunk for Cisco Security app - because this provides the views and searches to make use of the Splunk for Cisco Firewalls app) on BOTH my heavy forwarder and my indexer.
The install was needed on the forwarder in order for the data to get sourcetyped correctly and have fields extracted correctly, etc. With the app only installed on my indexer, the data was not getting its sourcetype, fields extracted etc. The install is indeed also needed on the indexer so you have an interface to the views, dashboards, searches etc that the Splunk for Cisco Security app provides. Perhaps it's possible you don't need the Splunk for Cisco Firewalls app installed on the indexer, and that you don't need the Splunk for Cisco Security app on the forwarder, but I didn't try this - I just have both installed on the forwarder and indexer.
... View more