As an additional hint, you could add your all four search term literally to limit the initial search results for a bit of a performance boost. index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$...
See more...
As an additional hint, you could add your all four search term literally to limit the initial search results for a bit of a performance boost. index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$ samr lsarpc srvsvc winreg | stats count by src_user,src_ip,RelativeTargetName,host_fqdn | stats list(RelativeTargetName) by src_ip, src_user,host_fqdn But whether this is significantly beneficial you'd have to see the job inspect page. Another way to limit your results (as opposed to @ITWhisperer 's solution which works on the summarized data) would be to add all four values explicitly as field values, not with the IN clause. index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName=samr, RelativeTargetName=lsarpc RelativeTargetName=srvsvc RelativeTargetName=winreg src_user!=*$