I've tried the below with the fieldformat before and after the chart command, same results, the duration_U field still shows as a unix date, to the chart is technically correct, but the y axis information is not human readable.   Just shows values ranging from 70,000 to 90,000. index= source= | strcat date "000000" BDATE | eval duration_U=strptime(end_time,"%Y-%m-%d %H:%M:%S.%N") - strptime(BDATE,"%Y%m%d%H%M%S") |fieldformat duration_U=tostring(duration_U,"duration")| chart latest(duration_U) over system by date  

You have two options: Duplicate the alert and use a different cron expression for the different days/time periods Use now() function to determine when the search is running and modify the results so that the alert isn't triggered.

Hi @AMAN0113 , it's possible to share the DS only if it has to manage less than 50 clients. Even if, the most work in on the devices: if you are managing the addressing od the Deployment Server using a dedicated app, it's very easy to move the DS to another server, if not it's better to move the other servers. Anyway, To move the DS, you should create a custom Add-On, called e.g. TA_deploymentClient, containing only two files: apps.conf deplymentclient.conf So these are the steps to move the DS: on the old DS, add a new serverclass  for all clients pointing to the new add-on TA_deploymentClient on all clients remove deploymentclient.conf from the %SPLUNK_HOME/etc/system/local folder restart Splunk on all clients verify (on the DS) that in all clients there's a new app installed install Splunk on a new system, copy apps from $SPLUNK_HOME/etc/deployment-apps to the same folder of the new system copy %SPLUNK_HOME/etc/system/local/serveclasses.conf in thesame folder of the new system, push new new configurations To move the HEC, you have to re-create the inputs, eventually using the same tokens, but, in the devices, you have to point to the new destination. It could be easier if you have a Load Balancer in front of the the HEC servers, becausein this case, you have only to modify the configuration in the LB. Same thing for the syslog receivers: you have to  copy all the inputs from th old to the new servers and then move the pointing adresses in each device. See what' the highest number of connection you have (syslog, clients or HEC) and maintain it in the original server, moving the others. Ciao. Giuseppe

OK. _If_ you are seeing current events in other indexes, it should mean that your "main" part of the environment is working relatively ok. We don't have much info about your setup so we don't know whether this index you mention should contain events from multiple sources or just one source. If it's just one source, it may be that something caused that source to stop sending the events. Maybe due to turning off the forwarder or due to network problems. If it's an index gathering data from multiple sources... are you sure someone didn't delete it from your setup? Do you see any events in this index and just don't see recent evens or do you not see any events at all, even the old ones? What are your index parameters? (size limits, retention settings).

Hi @PickleRick, 1 - I can see other events in other indexes 2 - One month ago I restarted KV store, I didn't make other changes. 3 -I'm ingesting data, there aren't frozen data. What should I expect regarding the index from inputs.conf file? Thank you in advance. Mattia