As a general statement, all data in Splunk that you want to use in ES needs to be CIM compliant. These means that the TA's used to parse events, extract and alias fields, all need to have CIM compliant mappings.
@ekost's link is a good starting point, along with : http://docs.splunk.com/Documentation/CIM/4.2.0/User/Overview
... View more