I have a performance issue concerning multiple time ranges in 1 search.
The search string is as follows:
(index=[index1] sourcetype=[sourcetype1]) OR (index=[index2] sourcetype=[sourcetype2 hoursago=24])
I choose for the timerangepicker the value: last 3 months.
Now this search will take ages.
The first part of the search isn't the problem, but the second one is.
It should be clear that I want all records from the first part and only the records from the last 24 hours from the last part.
The search above provide me with these, but the search takes ages.
My question is: isn't there a way to make this search faster?
I can't join because of the number of records (over 72 million) .