The last_time field is a numeric field that cannot accept a formatted time string value. This was preventing the new data from applying to the fields.  There is no notification of failure when it fails. Either store the datetime as epoch numeric or as a formatted string str value. The function works and is essentially repaired.   | inputlookup kvstoreA | eval joinField=test_name+rule_name+test_target | join type=inner [ search index=a sourcetype=b NOT variable="ignore" | dedup testName testTargetDesc ruleName | eval Event_last_time=_time, Event_last_status=case(eventType=="A","healthy",eventType=="B","unhealthy",TRUE(),"undefined"), Event_test_name='alert.testName', Event_rule_name='alert.ruleName', Event_test_target='alert.testTargetsDescription{}', joinField=Event_test_name+Event_rule_name+Event_test_target] | where Event_last_time!=last_time | eval last_status=Event_last_status, last_time=Event_last_time | fields last_time last_status test_name rule_name test_target | outputlookup kvstoreA append=True ... View more