The splunk_hec sink does not index fields by default

There is no longer a distinction within Vector between explicit and implicit event fields. All fields are now implicit and therefore the splunk_hec sink will not index any fields by default.

Upgrade Guide

In order to mark desired fields as indexed you can use the optional configuration option indexed_fields:

 [sinks.my_sink_id]
   type = "splunk_hec"
   inputs = ["my-source-id"]
+  indexed_fields = ["foo", "bar"]