sorry for repost, maybe that's a better place, same problem on my side with AWS: @DEngineer did you solve your problem, because I am trying to establish a similar set up and have the same problem? Help would be very much appreciated. ... View more

The efficiency will depend upon the amount of processing to be done. Your search is doing extra stuff so it might be slower than my query. If your query is working for you, just try like this "search"| sort + Serial | streamstats window=2 global=f current=t first(complete) as next_com, first(serial) as next_serial | fields serial, complete, next_serial, next_com | eval test=if(complete > next_com, serial, 0) | eventstats max(test) as m_test | where complete == 0 AND (serial > m_test) ... View more