guilhemmarchand
commented
3 years ago Hi @stuart-alt
This is a standard Splunk behaviour when Splunk exports the search results to a CSV file (the way you can access Splunk search results from the alert action)
This doesn't address a real solution but is related to what you are asking for: https://community.splunk.com/t5/Getting-Data-In/How-to-get-rid-of-mv-fields-in-alert-results-csv-file/m-p/433855
I was actually looking at that earlier and couldn't find yet an appriopriate and not too much killing way to achieving it, thus I believe this remains possible so I will keep this issue opened and will address it in a future release.
Thanks!
Hello, I'm looking for a help regarding the "Results Attachment" feature on the Add-on. If my search returns 3 fields, for example: ID, NAME and CITY, the attached file will have 6 fields: ID, NAME, CITY, mv_ID, __mv_NAME and mv_CITY. The first 3 will have the search results as normally expected, but the last 3 will be empty. Is there a way to remove the "_mv" fields form the attached file?
I've tried using the SPL command "fields - mv_ID, __mv_NAME and mv_CITY" but it had no effect.
PS: This behaviour is happens in both CSV or JSON format. Thank you!