By default, SHOULD_LINEMERGE is set to true in /opt/splunk/etc/system/default/props.conf. The Exchange app explicitly sets SHOULD_LINEMERGE to false in the fwd_* apps. Currently, the deployment doc for the Exchange app states that fwd_* components should be pushed out to the Universal Forwarders, Indexers and Search Heads. It does not mention Heavy Forwarders that will receive and send Exchange data.
To correct the problem, fwd_* components should also be pushed to the Heavy Forwarders. This can be accomplished with your deployment server or manually. The props.conf files in the fwd_* components will set SHOULD_LINEMERGE to false for all of the Exchange sourcetypes. Once this goes into effect on the Heavy Forwarders, the User counts will be correct again.
... View more