Problem:

Based on the messages ingested against the source category used in my scheduled search "A B C", I should have received an alert

Cause:

This can be caused by either timestamp or timezone issues or latency of ingestion

Resolution:

1.) Timestamp parsing or timezone issue:

Run the query for the scheduled search in the search tab with "Use Receipt time" checked. 

Observe the message time and the receipt time for the messages that should have triggered the alert and also the timestamp inside the message. If you find a gap of hours between the message time and receipt time, you would suspect a default timezone configuration setting issue for the collector and/or source.

Following is an example You can see the message is ingested or received by Sumo Logic at 11:41 CDT (Central time or UTC-05:00) but the message time assigned is 06:41 CDT. This implies the default collector or source time zone was assigned to UTC timezone. This can be either corrected by editing the collector and/or source timezone to Central time using DST (America/Chicago for example) or by specifying a custom timestamp to the source which requires the timezone to be read from the message.

2.) Latency in ingestion of message:

If the gap between the message time and receipt time is of the order of say 5-15 minutes as could be the case of ingestion of S3 objects or cloudtrail data. In the following example, a 15 minute scheduled search executed for time range 7:30 to 07:45 did not see any data because the data for the time range ingested after the scheduled search executed 

The solution here is to specify "Use Receipt time" in scheduled search configuration so that the query in the scheduled search will evaluate messages received in the specified time range