Hi,
In my case, Splunk is getting data in by tcp port. I configure the TCP port with sourcetype="myagent".
the json format events I am getting looks like:

{"ID":32,"BUILD":"AA123","PNAME":"Cherry","DATE":"Wed Apr 3 01:00:00 2013","UID":"xyz123"}
{"ID":3,"MID":"222-444",,"TS":"Wed May 8 03:15:39 2013","CT":1,"MS":0,"AU":23}

My issue is for ID=3 Splunk getting event data in every 15 sec and for id=32 event data coming once in day. so Eventcount for ID=3 is very huge that ID=32.
When I search ID=32 data it takes so long to display events. I dont know how to search them faster. I am filtering the data on ID=32 as
sourcetype="myagent"|spath |search EID=32
in my search but not much helpful.
I want to ask can I give some different sourcetype name to ID=32 events so that I can search then faster and Splunk dont even look with data ID=3. OR can I attach some unique field which can differentiate between them and search ID=32 data faster? I never used pros.conf or inputs.conf So I am very nerveous to use it.please guide me in right direction to achieve faster retrieval of Events.

Thanks