This is a strange one, I have a data source which has multiple values in two separate fields so I use the makemv and then mvexpand commands which works well, and as expected, when rendered in Splunk. Here's my code:
| makemv delim=";" groups | makemv delim=";" users | mvexpand groups | mvexpand users
| table groups admin users action _raw
I can see each new event and the relevant value from the mvexpand looks to only include the characters I expect (e.g. no special characters) when rendered in Splunk.
The problem is when I export the results to a .csv file. The new events resulting from the mvexpand command pick up some special characters. I can see this when I view the .csv in an editor such as Notepad++.
I've mocked up an example here showing only two events. I've used [LF], [CR] and [Tab] to represent the special characters (line feed, carriage return and tab):