Please share you search so we can offer suggestions to optimize it. VPC data can be huge so it will take time to process 6 months of it.  You should consider using a data model.  How much data is the search going through?  Is the data evenly distributed among the indexers?

There are two ways to exclude events containing certain words.  The first is to put the word(s) in the base search ( the part before the first |) preceded by "NOT".  It may be easier to put desired words here if that number is smaller.  This won't work if the work must be in a specific field this not yet extracted. index="600000304_d_gridgain_idx*" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "StatisticBalancer - statisticData: StatisticData" "TRIM.UNB.D082923.T045920" |rex "totalOutputRecords=(?<totalOutputRecords>),busDt=(?<busDt>),fileName=(?<fileName>),totalAchCurrOutstBalAmt=(?<totalAchCurrOutstBalAmt>),totalAchBalLastStmtAmt=(?<totalAchBalLastStmtAmt>),totalClosingBal=(?<totalClosingBal>),totalRecordsWritten=(?<totalRecordsWritten>),totalRecords=(?<totalRecords>)" |table busDt fileName totalAchCurrOutstBalAmt totalAchBalLastStmtAmt totalClosingBal totalRecordsWritten totalRecords The other way is to use the search or where command to filter out events with the offending words (or keep those with desired words). index="600000304_d_gridgain_idx*" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "StatisticBalancer - statisticData: StatisticData" |rex "totalOutputRecords=(?<totalOutputRecords>),busDt=(?<busDt>),fileName=(?<fileName>),totalAchCurrOutstBalAmt=(?<totalAchCurrOutstBalAmt>),totalAchBalLastStmtAmt=(?<totalAchBalLastStmtAmt>),totalClosingBal=(?<totalClosingBal>),totalRecordsWritten=(?<totalRecordsWritten>),totalRecords=(?<totalRecords>)" | where fileName="TRIM.UNB.D082923.T045920" |table busDt fileName totalAchCurrOutstBalAmt totalAchBalLastStmtAmt totalClosingBal totalRecordsWritten totalRecords  

Hi you could search a reason for deleting bucket from internal index. You can start with  index=_internal *cold* *<your index or bucket Id>* You will get list of buckets. Select one which are frozen. Then use that bucket id to see the process how and why it has frozen. r. Ismo

Hi @obpedro  Thank you for your response. However, we are using preserve lookup while executing the apply bundle command.  So, in that case will change in deployer_lookups_push_mode help fix it? Is it not same as using -preserve-lookup true in the apply bundle command? Also want to know what value you have for deployer_lookups_push_mode?

There are few ways to limit the number of results.  The head, dedup, and stats commands can be used.  Which to use depends on the inputs and the desired results. index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | head 1 | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCMessage="ebnc event balanced successfully" | table EBNCMessage True index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCMessage="ebnc event balanced successfully" | dedup EBNCMessage | table EBNCMessage True index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCMessage="ebnc event balanced successfully" | stats values(*) as * by EBNCMessage | table EBNCMessage True  

Hello Everyone, Regrettably, the oldest available data across all indexes has been reduced to approximately 7 months. I have already conducted the following checks: Current index size: Less than 200GB (configured for 500GB) Indexers Disk Size (Cluster): All indexes currently have 30-35% free space. frozenTimePeriodInSecs=39420043 (approximately 15 months) Any assistance with troubleshooting would be greatly appreciated. Thank you.    

Hi @GaetanVP , I'm Vatsal from the Community Moderator team. As I can see you answered your own question. In such scenario if you accept your own answer it will be very useful for future visitors here.   Happy Splunking!!!

@fredclown - Email is just an alert action that comes default with Splunk. As you mentioned currently there is no option to prepend in the subject. You could raise as improvement in Splunk at https://ideas.splunk.com/ Or you could have your own custom Splunk alert action for email with all the same options, but there of course you could specify whatever subject you want in your own Python code. But somehow you would have to disable Splunk's built in Email action, so people don't use that to bypass your rule.   I hope this helps!!! Kindly upvote if it does!!