note that if you have a distributed environment you will end up with the index time props and transforms.conf on your indexers and the search time props and transforms.conf + fields.conf on your searchhead(s)

That is correct.

oh and i should say i'd like to keep the delimiter based search time extraction because its very simple for me to maintain (i.e. i don't have to do anything when devs add new logging fields as long as they follow the delimiter format)

i don't want to get into the "should i be using index time extraction" discussion. let's just assume that i need to and focus on how/if i can use delimiter based search time field extraction and index time field extraction where the index time field extracted field will also be picked up by the delimiter based search time extraction. from the docs it looks like i need to set a fields.conf stanza for that field with INDEXED=FALSE, but that seems counter-intuitive (http://www.splunk.com/base/Documentation/4.2.2/Data/Configureindex-timefieldextraction ).

Then, I guess my question becomes why is search time field extraction us a delimiter not sufficient to meet your requirements, and how is the index time extraction going to meet that requirement?

i don't really need to do both- its just that the delimiter based search time extraction is also going to pick up the field that i'm adding to the index time extraction.

I am not sure why you'd need to do both a search and index time field extraction at the same time, but this could definitely cause some wierdness. Most of the time search time field extraction is the way to go. I'd say a good 80% of the time, index time field extraction isn't the right solution. It can be quite expensive, and usually isn't worth the cost.

ok excellent, that makes sense. currently i'm using a delimited based search time extraction. this will probably cause an overlap where the field i want to change to index time extraction will also be search time extracted. will that cause any weirdness?