I have a search where I'm trying to get some results, select some fields from them, and then search further into those fields. Something like this:

http_status=500 eventtype=ProductionAccessLog | fields + * | search eventtype!=KnownRobot | timechart span=1d count

I realize this looks kind of crazy because there's no obvious reason the eventtype!=KnownRobot part couldn't be a part of the initial search. In my real use case the beginning part of this search up to and including the fields command is coming from a saved search I'm bringing in with the loadjob command. The above search is a test that should produce the same results as the real thing.

The above search works fine, but now I need to optimize it by only selecting fields from the initial part of the search that I actually need (the saved search takes up too much disk space if I include all fields in it). My thinking is that the only fields I should need to select are the ones used by the KnownRobot event type and by the timechart command. So with that change the search becomes something like this:

http_status=500 eventtype=ProductionAccessLog | fields + http_useragent, http_ip_address, _time | search eventtype!=KnownRobot | timechart span=1d count

But for some reason this does not produce any results. I can tell that the | search eventtype!=KnownRobot part is what's throwing it off because if I remove that section, I can get the non-filtered results. I've played around with including other fields and even using other event types in the search command, always making sure to include all of the fields used by the event types I'm filtering by, and as far as I can tell any eventtype-based criteria in that part of the search causes me to get no results unless I go back to selecting every field.

Does anyone have an idea why this is happening?