I don't like that this add-on is using INDEXED_EXTRACTIONS by default, with no seemingly easy way to switch from using them with the way that the scripted input works... Hopefully this will be improved now that Cisco owns Splunk... ... View more

It looks like this mystery has not been solved within those 11 years though! If your guess is correct, I guess they hadn't implemented Pull Requests yet whenever that code was added... 😜 I went looking for this answer, though, because in Splunk Cloud the _audit index is set to this default value for retention, and you are unable to change the retention setting for internal indexes in Splunk Cloud, so if you have a requirement to retain audit logs for 6 years, you're technically short by 6 days! ... View more

I don't see how leap years could have anything to do with it. A leap year has 1 more day than a regular year, so that doesn't explain why they would use 1 less day than a regular year... ... View more

You can split it into 2 commands to make it work: ... | eval output=mvappend(field_1, field_2) | stats values(output) as output ... View more

coalesce is not the right approach if both fields have a value in the same event as it will only use the value of the first field containing a non-null value... ... View more

FWIW, this syntax is not working for me: ... | stats values(mvappend(field_1, field_2)) AS output ... View more