OP here, I'll post my own answer should anyone be headed down the same path. The general suggestions are correct . . . for my case (PLC Data coming in from a factory) . . . my best option is to import the data "as is". Then use Settings -> Fields -> Field Extraction, to form regular expressions and define each of the field (sub fields actually) within each Tag from the PLC. Yes, this seems non-obvious. It means the Tags are being interpreted at SEARCH time, not at Ingestion time. You'd naturally think this would be inefficient, but Splunk seems to be designed for speed around this concept. So, for each of the (approx 20) types of PLC Tag's I'm monitoring, I've regex split up the fields, and can search and report on those fields as if they were "there all along". So, I can't answer the original question I asked (where to actually split up the fields coming from Kepware and the "IDF for Splunk" forwarder). But, I've at least determined that I shouldn't be trying. Using regex and splitting fields up at Search time was the way to go for me. Thanks to any who read the question and attempted to answer.
... View more