hi @matthewe25, You can check with the below configurations in props.conf. Remove attribute TIMESTAMP_FIELDS if you are using it. [sourcetype] TIME_PREFIX = (START|END,\d+-\d+-\d+\s\d+:\d+:\d+), TIME_FORMAT = %Y-%d-%m %H:%M:%S   If this reply helps you, an upvote/like would be appreciated. ... View more

Greetings @matthewe25 , I know this isn't exactly what you want, but this might help you: https://community.splunk.com/t5/Alerting/Configure-an-alert-based-on-the-number-of-results-as-warning/m-p/368892 As far as your actual question, I would test whether you can modify the savedsearches.conf file directly to try to set the severity to the same thing (e.g. $result.Criticality$) but try using numbers instead of words. It's a long shot, and it's definitely not documented, but that's the only way I can think of this working. As you said in your post, this situation is normally handled by using separate alerts. One way to make them slightly more dynamic is to retrieve the thresholds from a lookup. If you do that, at least you won't have to touch the multiple alerts to modify the thresholds moving forward. ... View more