I'm assuming there's also some reporting commands like stats following the join , right? If you do search | stats , all the heavy lifting happens on the indexers. The search head only gets a small result set back to combine. If you do search | join | stats , the indexers have to return tons of data to the search head that then gets to do a huge join and simple stats . To solve this, move your metadata to a lookup file, define that lookup file as automatic for your sourcetype, and search like this: earliest=-9d index=os_nix_perf itemKey="cpuLoad" hostname=hostwildcard* (color=Purple OR color=Red) | stats ... The indexers can apply the lookup, filter accordingly, run the stats, and only return a small result set back. If for some inexplicable reason you cannot move the metadata to a lookup file, at least move the join after the stats : earliest=-9d index=os_nix_perf itemKey="cpuLoad" hostname=hostwildcard* | stats something by hostname | join hostname [search index=metadata (color =Purple) or (color=Red) | fields hostname, color | dedup hostname] Then the set that needs to be returned to the search head and joined there is fairly small. ... View more

Splunk has the lookup mechanism for enrichment data: http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents Once an automatic lookup is defined for a sourcetype, source, or host, its enriched fields magically appear in results and can be used for filtering or reporting. Using the lookup table itself you can dynamically fill dropdowns in dashboards as well. ... View more