Hi @antmob  For investigating the issue, you might want to start with checking the actual search window of the false alert instance using query like : index=_internal sourcetype=scheduler status=success savedsearch_name=<name of your alert> And, for 2nd question on 2 consecutive - 0 results, you can join the results of below query with your alert logic or you can use summary index to store the results and join with summary indexed data. index=_internal sourcetype=scheduler status=success savedsearch_name=<name of your alert> result_count=0 Hope this helps!         ... View more