diff --git a/internal/pkg/policy/secret.go b/internal/pkg/policy/secret.go
index f711b9168..a5f15c4e0 100644
--- a/internal/pkg/policy/secret.go
+++ b/internal/pkg/policy/secret.go
@@ -89,6 +89,7 @@ func getPolicyInputsWithSecrets(ctx context.Context, fields map[string]json.RawM
 		}
 		result = append(result, newInput)
 	}
+	delete(fields, "secret_references")
 	return result, nil
 }
 
diff --git a/internal/pkg/policy/secret_test.go b/internal/pkg/policy/secret_test.go
index 055ee8f81..78766743a 100644
--- a/internal/pkg/policy/secret_test.go
+++ b/internal/pkg/policy/secret_test.go
@@ -31,6 +31,14 @@ func TestReplaceSecretRefPartial(t *testing.T) {
 	assert.Equal(t, "partial value1", val)
 }
 
+func TestReplaceSecretRefPartial2(t *testing.T) {
+	secretRefs := map[string]string{
+		"abcd": "http://localhost",
+	}
+	val := replaceSecretRef("$co.elastic.secret{abcd}/services", secretRefs)
+	assert.Equal(t, "http://localhost/services", val)
+}
+
 func TestReplaceSecretRefNotASecret(t *testing.T) {
 	secretRefs := map[string]string{
 		"abcd": "value1",
@@ -97,6 +105,9 @@ func TestGetPolicyInputsWithSecretsAndStreams(t *testing.T) {
 	result, _ := getPolicyInputsWithSecrets(context.TODO(), fields, bulker)
 
 	assert.Equal(t, expectedResult, result)
+	var refs any
+	json.Unmarshal(fields["secret_references"], &refs)
+	assert.Equal(t, nil, refs)
 }
 
 func TestGetPolicyInputsNoopWhenNoSecrets(t *testing.T) {