I needed the results of dropped packets on an interface, so I modified the default interfaces.sh script to include those fields. I tested deploying to a small number of dev hosts and everything looked fine.
When I moved it to a bigger set of servers this morning, I started seeing the header in the search results. Since Splunk is now passing that and other *nix source types to "|multikv" by default, what could be going on here? Not sure where to look for this.
what is the modification that you made?