I still haven't taken to data models and pivot entirely, and now I have found another thing that annoyed me.

Going with the data model supplied with splunk, "Splunk's Internal Audit Logs - SAMPLE", I open the root element in pivot and change the timeframe to "Last 15 Minutes" which yields about 500 results. I want to add a filter. For example, I want to limit the results to only denied events, so I click the plus next to the time range and select "action". To see which options I have, I click the drop-down arrow in the following box - and then I wait. It takes ages for Splunk to give me these options.

I don't know where these come from, but I would imagine there is a search somewhere, much like the searches that power the dynamic options of a drop-down on a dashboard. However, I can't find this search under "Activity - Jobs", and I can't seem to figure out where it is defined. It feels like this search runs over all time and not the timeframe specified for my pivot, but without the job inspector, I don't see how I could verify this, much less change it.

So please, either prove that I was blind and show me the documentation covering this aspect of pivot and data models, or reassure me that something is not as it should be. Thanks!