@ITWhisperer Manual runs of the search and to collect into summary index create those stash files. It is unrelated to the occurrence of duplicate events. The allocation of all sources is equal (25%) , as you can see below. Is that correct ?  

Finally, the key piece of information! You are expecting this to be an Excel date value. | makeresults | eval date=45123 | eval _time=(date-25567-2)*24*60*60 Excel uses dates based on the start of the 20th Century 1900-01-01, counting in days, whereas, Splunk uses unix-style times based on seconds since 1970-01-01, so, you need to subtract the number of days between these two baseline points, and multiply by the number of seconds in a day. Note that Excel may not be calculating the date correctly since it indexes the first day as 1 (instead of 0) and incorrectly assumes that 1900 was a leap year (which it wasn't), hence the extra -2 days in the calculation. Having said that, you will have to decide whether the _time value returned is correct based on the source of your data i.e. it could be a couple of days out.

@ITWhisperer What caused the creation of these "D:\Splunk\var\spool\splunk\99ec742c0c976c35_events.stash_new" files? Instead of spool files, that should be the name of the report. Do stash-spool files get created when a saved search is used ad hoc or backfill? When there are no spool files being created by scheduled?

MDI logs are generated on security.microsoft.com portal and are not present locally on the servers where Splunk forwarders and MDI sensor are installed. There is a possibility with Sentinel [ https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration ] but we want to do this to Splunk.  We might not be able to install anything on the portal. Do we have a set of documentation available as to how to send the MDI logs from security.microsoft.com portal to Splunk ?