Hi
Just a note that your field extraction below has global permission and overwrites other "user" field name extraction. You should make it app permission level only.
default : EVAL-user user md5(clientip."_".http_user_agent)
Hi Brandonf
Thanks for reporting this in. There were a also few users who noted this.
There is a new version of the app (1.4) which fixes this issue and adds on some new functionality.
https://splunkbase.splunk.com/app/2699/
j