There are many factors affecting the search speed. The most obvious and most effective way to reduce search time is to narrow the time range - less buckets processed, less time needed of course.

Other than that - indexed fields (like the default splunk's internal fields of source and sourcetype) do speed up the searches for a price of a heavily reduced flexibility of your searches - the field is extracted (or defined) at ingestion time and it stays that way forever in the index.

And lastly (unless we're getting into territory of reports acceleration, summary indexing or datamodels acceleration) - it's good to use "sparse" fields for searching

Contrary to your typical, for example, RDBMS, splunk doesn't work by simply looking through values of a given field and matching them using given condition - splunk extracts most of the fields dynamically so it would be hugely ineffective to parse every single event in search time and only then verify the contents of the field. Not digging too deply into the underlying mechanics, the event's raw data is split into "terms" which are indexed simply as a bunch of strings. Then if you search for, let's say "login=my_user", simplifying things a bit, splunks looks where it has encountered the string "my_user" and only after it locates the events in which that string shows up, it parses the event to see if the occurence was within the field named "login".

That's why you can relatively effectively look for strings with wildcard at the end ("my_user*") but should not use searches for values with wildcard at the beginning ("*my_user") - such search has to look through every single event and see if the actual value of the parsed field matches the string so it's higly ineffective (a bit like searching over an unindexed field in relational database).

The problem arises when you have a value which is very common (for example, 70% of your events contains login=my_user) and becomes even worse if the same field value occurs often across many different fields, because splunk has to read and parse many events until it finds the matching ones. That's when you want your fields indexed regardless of their "inconveniences".

So, after this - a bit long - introduction, from a performance point of view, the search

index=a sourcetype=subsourcetype

 should be as fast or faster than

index=a sourcetype=generalsourcetype myfield=myvalue

 Unless myfield is an indexed field.

But you have to take into account other factors like usability. Spawning many different sourcetypes can make building searches harder and analysing your data less convenient. Usually the sourcetypes get "split" on the actual type of events coming from a single general sourcetype but not in terms of a specific value contained therein (like status=success vs. status=failed - for that you use tags) but in terms of specific event formats coming from the same source (after all different sourcetypes usually mean different parsing rules).