Common search for the linux and windows. index=_internal sourcetype=splunkd component=BucketMover "Will attempt to freeze" | rex field=_raw "(/|\\\)splunk(/|\\\)(?P<index_name>[^\/]+)(/|\\\)(db|colddb)(/|\\\)db_(?P<latest_event>[\d]+)_(?P<earliest_event>[\d]+)_(?P<bucket_number>[^\']+)\' (?P<reason>.*)" | convert ctime(earliest_event) as earliest_event | convert ctime(latest_event) as latest_event | convert ctime(_time) as Log_TimeStamp | table Log_TimeStamp,index_name,bucket_number,earliest_event,latest_event,reason | sort - Log_TimeStamp   ... View more