https://community.splunk.com/t5/Splunk-Search/Splunk-sending-invalid-Email-Alerts/m-p/457752#M129272 <P>You may be getting events arriving later into the instance, what could explain the variation in numbers you;re seeing</P> <P>Check the _indextime field in those events to verify that</P> Tue, 09 Jul 2019 07:46:27 GMT tiagofbmm 2019-07-09T07:46:27Z https://community.splunk.com/t5/Splunk-Search/Splunk-sending-invalid-Email-Alerts/m-p/457751#M129271 <P>I am running a query to alert me if the sum of a particular property &lt; 400000. I get alert most times saying the count &lt; 400000. I go and run the query manually for that specific time describred in alert email.. I see that the count is well over 400000. What am I missing here?</P> <PRE><CODE>index=app host="aws-service-ip*" sourcetype="aws-fht-service-transactions" SVCPushCounter earliest="08/07/2019:19:00:00" latest="08/07/2019:19:30:00"| stats sum(SVCPushCounter) as totalBySvc by Partner| where (Partner=CVS AND totalBySvc&lt;4000000) ) </CODE></PRE> Mon, 08 Jul 2019 19:54:20 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sending-invalid-Email-Alerts/m-p/457751#M129271 rmuraly 2019-07-08T19:54:20Z https://community.splunk.com/t5/Splunk-Search/Splunk-sending-invalid-Email-Alerts/m-p/457752#M129272 <P>You may be getting events arriving later into the instance, what could explain the variation in numbers you;re seeing</P> <P>Check the _indextime field in those events to verify that</P> Tue, 09 Jul 2019 07:46:27 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-sending-invalid-Email-Alerts/m-p/457752#M129272 tiagofbmm 2019-07-09T07:46:27Z