The video tries to demonstrate the inner working of how the index time extractions work in Splunk. The data being onboarded by splunk via the universal forwarder gets extracted on the first HF/Indexer that it passes. Once field extraction happened, it will not happen again. Users onboarding data who need index time extractions i.e manipulate data, extract/amend the time fields should get the configuration done on the heavy forwarder tier. https://community.splunk.com/t5/Getting-Data-In/Where-index-time-extraction-will-happen/m-p/507412
