date_zone=local is bad

Impact: since there is no timezone, the logs will have the same timezone as the local user. Therefore in another timezone, the logs won’t have the same order. If no TZ is specified, perhaps we could hard code one. |tstats count where index=* date_zone=local by index, sourcetype

Continue Reading →