Hi @sahityasweety, this timestamp seems to be in epochtime, so to transfrom it in human readable format you can use the strftime function in the eval command. e.g. to transform in format yyy-mm-dd HH:MM:SS, you could try: | eval timestamp=strftime(timetampo,"%Y-%m-%d %H:%M:%S") Ciao. Giuseppe ... View more

PaulPanther's link https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Is where you want to go. Under the "Keep specific events and discard the rest" section, you can find stanzas for props.conf and transforms.conf files that you can place in an app on your indexing machines. Setting the regex of the setparsing stanza to "some message" would give you only the events containing that "some message", and discard the rest. # In props.conf [source::/your/log/file/path] TRANSFORMS-set= setnull,setparsing # In transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = some message DEST_KEY = queue FORMAT = indexQueue (It is assumed that you already have a working inputs.conf file to get the logs into your indexing machines. You can also set the stanza name in the props.conf file to use your log sourcetype) ... View more

That error usually is seen when an indexer stops while processing a search.  What relevant messages do you seen in search.log?  Are there any core files from the indexers? The local SSD provides only 8 days of storage.  Any query that searches data more than 8 days old will have to fetch the data from SmartStore, which will slow processing of the search.  Splunk recommends the local cache be large enough to hold at least 30 days of data. ... View more