Mmm, that's odd because I use that technique to manipulate _time - If you could find a simple example of _raw data where that is the case - perhaps by limiting the search just to pick up an event of each type - I'd be really interested to see. If the date format for the 2023 data is not as per the strptime format syntax that would cause a problem as it would be later - that would be my suspicion. If you can do a simple search for that 2023 data and do this  | eval orig_time=strftime(_time, "%F %T.%Q") | eval _time=strptime(...) | table _time orig_time that may show the difference ... View more

Hi, Thanks. Yes, finally I did that already its working fine. Even that search custom query was working , it got messed up in the mail filtering rules. Thanks for your suggestions . ... View more

You could do that, but whether that makes sense depends on your search, the fields available and your data, which I am not in a position to comment on. ... View more