I can think of a few things that may speed up the search...in no particular order try these.
1. Limit the initial time range for the "index="example". You can eliminate a lot of buckets by specifying the time.
2. Do you need all of the fields returned by the initial "index = "example" portion? If not, use the "fields" command to reduce the amount of data that is manipulated.
3. Can you be more specific in your initial search? If you can add more matching key/value pairs to reduce the data so much the better
4. Use the "Fast" mode to search, not Smart or Verbose modes.
5. Replace the ... | search Location != "" line with ... | where isnotnull(Location). != forces all of the data to be searched first, then return the events that don't match.
6. Move the eval statement after the second lookup.
I'd be curious to hear if there's any time improvements.
... View more