You forgot an index= between search and "indexFoo3" . Rather than fix it as-is, try this enhanced overhaul: index="indexFoo1" OR index="indexFoo2" OR index="indexFoo3" |eval Foo2=upper(Foo2) | eval Foo2=replace(Foo2, "\.", "") |eval Foo3=if(index="indexFoo1", Foo3x, Foo3y) |fields Foo1,Foo3,Foo2,Foo4 | stats values(*) AS * BY Foo3 | where index="indexFoo1" | eval Time=strftime(_time, "%H:%M:%S %d/%m/%y") | appendpipe [index="indexFoo3" earliest=-30d | eval Foo2=upper('Foo2x') | stats count by Foo2 | fields Foo1,Foo3,Foo2,Foo4] | stats values(*) BY Foo2 | where index="indexFoo1" OR index=indexFoo2" | eval Foo2=tostring(Foo2)| eval Foo2 = substr(Foo2,0,2).":".substr(Foo2,3,2).":".substr(Foo2,5,2).":".substr(Foo2,7,2).":".substr(Foo2,9,2).":".substr(Foo2,11,2)| search NOT count>0| table Foo3,Foo1,Foo4,Foo2 Neither of your rex commands captured anything (named) so they did nothing so I removed them. ... View more

If by mixed account you mean an account who has 'nix GID and windows ID... the answer is no. The username/pass for the database server should be the windows domain user/pass. First thing to do is the troubleshooting section: http://docs.splunk.com/Documentation/DBX/1.2.2/DeployDBX/Troubleshoot Make sure you select your appropriate version. I gave link to 1.2.2, you can change the version in upper-ish right-ish corner of the page. You might also like to review the "enhanced" troubleshooting section of version 2 because they got into more driver troubleshooting, etc. in the latest documents (not all will apply but might help). It for sure sounds like a timeout issue. So I would start by putting dbx into debug mode (covered in the link). Then I would check index=_internal log_level=ERR* OR log_level=WARN* . Post any errors and warnings related to db connect as comments. Finally, you can telnet to test port 1433 is open, check error logs on the sql server, and many more things. It might take a while but we'd be happy to help you if you've got the time to update this post. Here's a link for troubleshooting SQL TCP/IP Port Setup/etc.: https://support.microsoft.com/en-us/kb/823938 Note that in windows 2010+ and I've even seen in it 2008 i believe... the TCP/IP SQL configuration has new options. You have to enable TCP/IP on the instance, and also on the IPv4 address under advanced properties. ... View more

Just let the "wrong" buckets age out, it'll fix itself over the retention period for that index. ... View more