Remove mulitple values from a multivalue field

This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter.

Continue Reading →

date_zone=local is bad

Impact: since there is no timezone, the logs will have the same timezone as the local user. Therefore in another timezone, the logs won’t have the same order. If no TZ is specified, perhaps we could hard code one.

Continue Reading →