If the Cylance app sharing is private, that means when you search the sourcetype=device in Search and Reporting, it will not use some of the settings defined in the Cylance app.
Therefore, AUTO_KV_JSON=true and KV_MODE=auto which are the default settings for search-time extractions will be used in Search and Reporting app, causing the json data to be extracted again "search time" in addition to the Indexed-time extraction defined in INDEXED_EXTRACTIONS = json.
In order to fix it, change the Cylance app sharing to Global so that AUTO_KV_JSON = false and KV_MODE = none will be used when you search that outside of Cylance app. The double extraction shouldn't occur.
... View more