1. "index=* OR index=*"? You were generating it somehow? Limit your search to appropriate indexes. 2. You have many "left wildcard" conditions - conditions in which fields start with an asterisk. It is highly inefficient since splunk needs to read whole events. 3. You have a condition matching "a_location=* OR b_location=* OR c_location=* OR d_location=*" which, depending on your data, will most probably match all your events (or at least a very significant subset of them) so it's not very effectiv. Furthermore, next composite condition is (a_location!=*S1* OR b_location!=*S1* OR c_location!=*S1* OR d_location!=*S1*) which will again most probably match most of your events. 4. eval Interface_card=mvappend(a_location,b_location,c_location,d_location) | mvexpand Interface_card - interesting approach but firstly drop the fields you won't be needing later so you lower the memory footprint 5. If you want to filter your results, you can simply add | search Utilization<A Utilization>B or | where Utilization>C AND Utilization<D (In this case - if you want to limit by constant values - they will both work. In general case - these are differently working commands and you cannot simply substitute one for another)
... View more