Hello @gcusello, Thank you for your response. Actually, yes, this could happen due to a process of squashing when a certain threshold is reached indexers drop (host, source) fields to avoid explosion in memory/processing overhead. what confuses me is I am unable to find those events, so I'm wondering if Splunk is dropping the entire events or just those fields. Bellow search shows if you have this issue or not. This only works with large indexes: index=_internal source=*license_usage.log* type="Usage" idx="my_index" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval st=if(len(st)=0 OR isnull(st),"(UNKNOWN)",st) | fields _time,b,h,st | bin _time span=1d | stats sum(b) AS volume by h, _time,st | stats avg(volume) AS avgVolume max(volume) AS maxVolume by h,st | eval avgVolumeGB=round(avgVolume/1024/1024/1024,3) | eval maxVolumeGB=round(maxVolume/1024/1024/1024,3) | fields h,st, avgVolumeGB, maxVolumeGB | rename avgVolumeGB AS "average" maxVolumeGB AS "peak",st AS "sourcetype", h AS "hostname" | sort - average | head 10
... View more