[ace_field_analyzer]
black_list_fields = event_id,owner,severity,host,drilldown_search_title,drilldown_search_earliest_offset,drilldown_title,drilldown_uri,search_type,time,entity_key,orig_rid,_raw,_time,splunk_server,_cd,_bkt,mod_time,orig_sid,is_use_event_time,eventtype,tag,splunk_server_group,search_name,rid,linecount,index,event_identifier_fields,source,sourcetype,tag::eventtype,drilldown_search_search,drilldown_search_latest_offset,punct,timeendpos,timestartpos,alerttriggertime,orig_raw,service_ids,serviceid,entity_title
text_field_names = comment,description,summary,review,message
### Ignore fields that contain in their name any of the key words in this list
### Key word "time" will ignore fields that represent time like alert_triggertime,alerttriggertime,lasttimeup, etc ...
ignore_fields_that_contain = time
threshold_distinct_value_perc = 35
min_distinct_value_perc = 10
max_count_perc = 80
threshold_event_coverage_perc = 10