https://community.splunk.com/t5/Splunk-Search/Can-Some-One-Help-With-Query-Optimization/m-p/459992#M129776 <P>why don't you stop use <CODE>join</CODE> and make flag like:</P> <PRE><CODE>| eval flag=case(parsedate &gt; relative_time(now(),"-10d@d") AND parsedate &lt; now() ,"lastdate", ....) .... | stats sum(AMOUNT) as AMOUNT by UiCountryCode parsedate flag ... </CODE></PRE> Tue, 19 May 2020 14:14:22 GMT to4kawa 2020-05-19T14:14:22Z https://community.splunk.com/t5/Splunk-Search/Can-Some-One-Help-With-Query-Optimization/m-p/459990#M129774 <PRE><CODE>index="ocdm" source IN ("covid_collection.csv","covid_collection_lcpr.csv","covid_collection_cl.csv", "covid_collection_cr.csv") |where AMOUNT!="NA" |eval latestdatestart=relative_time(now(),"-10d@d"),latestdateend=now(),parsedate=strptime(TXNDATE,"%m/%d/%Y") |where parsedate &gt;= latestdatestart AND parsedate &lt; latestdateend |stats sum(AMOUNT) as latestdatevalue by UiCountryCode parsedate|sort parsedate |eval latestdate=strftime(parsedate,"%m/%d/%Y"), latestdatevalue=round(latestdatevalue,2) | table UiCountryCode latestdate latestdatevalue lastday |eval latestdateformat=strptime(latestdate,"%m/%d/%Y"),lastdayformat = relative_time(latestdateformat,"-1d@d"),lastday=strftime(lastdayformat,"%m/%d/%Y") |join UiCountryCode lastday [search index="ocdm" source IN ("covid_collection.csv","covid_collection_lcpr.csv","covid_collection_cl.csv", "covid_collection_cr.csv") |where AMOUNT!="NA" |eval lastdaystart=relative_time(now(),"-11d@d"),lastdayend=relative_time(now(),"-1d@d"),parsedate=strptime(TXNDATE,"%m/%d/%Y") |where parsedate &gt;= lastdaystart AND parsedate &lt; lastdayend |stats sum(AMOUNT) as lastdayvalue by UiCountryCode parsedate |sort parsedate |eval lastday=strftime(parsedate,"%m/%d/%Y"),lastdayvalue=round(lastdayvalue,2) | table UiCountryCode lastday lastdayvalue |eval lastdayformat=strptime(lastday,"%m/%d/%Y"),lastweekformat = relative_time(lastdayformat,"-7d@d"),lastweek=strftime(lastweekformat,"%m/%d/%Y")] |join UiCountryCode lastweek[search index="ocdm" source IN ("covid_collection.csv","covid_collection_lcpr.csv","covid_collection_cl.csv", "covid_collection_cr.csv") |where AMOUNT!="NA" |eval lastweekstart=relative_time(now(),"-17d@d"),lastweekend=relative_time(now(),"-6d@d"),parsedate=strptime(TXNDATE,"%m/%d/%Y") |where parsedate &gt;= lastweekstart AND parsedate &lt; lastweekend |stats sum(AMOUNT) as lastweekvalue by UiCountryCode parsedate |sort parsedate |eval lastweek=strftime(parsedate,"%m/%d/%Y"),lastweekvalue=round(lastweekvalue,2) | table UiCountryCode lastweek lastweekvalue] |eval kpi="COLLECTION AMOUNT",_time=relative_time(now(),"-0d") |fields - latestdateformat,- lastweekformat,- lastdayformat </CODE></PRE> Tue, 19 May 2020 10:37:03 GMT https://community.splunk.com/t5/Splunk-Search/Can-Some-One-Help-With-Query-Optimization/m-p/459990#M129774 rakesh868852914 2020-05-19T10:37:03Z https://community.splunk.com/t5/Splunk-Search/Can-Some-One-Help-With-Query-Optimization/m-p/459991#M129775 <P>I've reformatted the query to make it easier to read.</P> <P>Please explain what the query is attempting to do. What are the desired results? What makes you think it needs to be optimized?</P> Tue, 19 May 2020 13:12:22 GMT https://community.splunk.com/t5/Splunk-Search/Can-Some-One-Help-With-Query-Optimization/m-p/459991#M129775 richgalloway 2020-05-19T13:12:22Z https://community.splunk.com/t5/Splunk-Search/Can-Some-One-Help-With-Query-Optimization/m-p/459992#M129776 <P>why don't you stop use <CODE>join</CODE> and make flag like:</P> <PRE><CODE>| eval flag=case(parsedate &gt; relative_time(now(),"-10d@d") AND parsedate &lt; now() ,"lastdate", ....) .... | stats sum(AMOUNT) as AMOUNT by UiCountryCode parsedate flag ... </CODE></PRE> Tue, 19 May 2020 14:14:22 GMT https://community.splunk.com/t5/Splunk-Search/Can-Some-One-Help-With-Query-Optimization/m-p/459992#M129776 to4kawa 2020-05-19T14:14:22Z