Hello,

I made a mistake during on migration on data source. I moved from csv format to json.

Suppose the migration date is day A.

On that day, I have in my props.conf (the one on the indexer cluster)

[toto]

INDEXED_EXTRACTIONS = json

When I looked at the result on the Search Cluster, the field where displayed twice.

I missed the props.conf on the SHC saying :

[toto]

KV_MODE = json.

So on day B : I rolled back => and deleted the "INDEXED_EXTRACTIONS" from the props.conf file on the IDX cluster.

Since day B : results are perfectly fine.

BUT :

When I look at events between A and B period => the fields are displayed twice.

I need to keep the KV_MODE on, because otherwise, I cannot extract any data when searching (no extraction made at index time before day A and after day B).

As a results, all calculus using part of period between A and B are false. I even get percentage > 100%.

Question is :

- do you have any idea how to fix this so the results of the splunk command will be ok (I can't believe I'm the only one to face this wall).

- is there any way to delete the extracted fields withour deleting (masking) the data ?

Thanks everyone,

Regards,

Ema