Okay, we've torn your code apart and reconstructed it, and then realized that it seems like  it probably wastes a lot of machine time based on what you are ending up with.   In plain English, you are trying to get a count of Agent records that match a bunch of specific filters. Those filters come from either a JSON in the CEM-Applog or from SN_CALL_FLAGS in the other records.  It seems like you should be able to get this in a much more concise way, but we'd need to know more about the data in order to code that.  Here's a shot-in-the-dark rewrite to use the Splunk soup method.   ( index=ivr_app sourcetype="CEM-AppLog" rosterInfo ) OR ( index=ivr_app "pipeline at completion" CALL_FLOW DNIS EXCHANGE NOT NPS NOT TFRDEST NOT TFRNUM NOT "SN_CONTACT_TYPE=Transfer" NOT "SN_TARGET_TYPE=Release" "SN_CONTACT_REASON=" (SN_CALL_FLAGS="foo1" OR NOT SN_CALL_FLAGS="foo2") ) | rename COMMENT as "This section processes the CEM-Applog records" | rex "^(?:[^{]*){7}(?P<my_data>.+)" | spath input=my_data output=vq path=TOD | spath input=my_data output=steps path=steps{} | spath input=my_data output=type path=type | spath input=my_data output=virtualQueue path=virtualQueue | spath input=my_data output=last_step path=steps{} | eval res = mvindex(last_step,mvcount(last_step)-1) | spath input=res output=name path=name | spath input=res output=type path=type | rex field=_raw "SN_CONTEXT_ID (?P<SN_CONTEXT_ID1>[^\s]+) produced" | dedup SN_CONTEXT_ID1 keepempty=true | rename COMMENT as "This section processes the 'pipeline at completion' records" | dedup SN_CONTEXT_ID CONNID keepempty=true | eval SN_CONTEXT_ID=coalesce(SN_CONTEXT_ID,SN_CONTEXT_ID1) | fields - SN_CONTEXT_ID1 | stats values(*) as * by SN_CONTEXT_ID | foreach SN_CALL_FLAGS [ eval <<FIELD>> = if(isnull(<<FIELD>>) OR len(<<FIELD>>)==0, "NO_CALL_FLAG", <<FIELD>>) ] | search CLI="foo4" AND CONNID="foo5" AND SN_CALL_FLAGS="foo6" AND DNIS="foo7"   Read the above very carefully and skeptically, and then try it to see how it performs relative to your other code. Further Notes -  Replacing code with asterisks can really mess up the advice you get.  Tradition is to use "foo" and "bar" and "baz" to represent different values, or "foo1" "foo2" foo3" etc.   Even with actual code, this construct here does not seem to be meaningful.  If the two asterisks represent the same thing, then it's equivalent to isnotnull(SN_CALL_FLAGS).  If they represent different things, then the first clause is redundant, because when the first is true, the second is always true.    AND SN_CALL_FLAGS="*" OR NOT SN_CALL_FLAGS="*"   ... View more

if the searches are otherwise identical, then you can just use the multiselect value with the n token to avoid formatting it,  and set the value to a single space when you don't want it to contain anything of significance. Your search would look more or less like this: "search with a token inside" $multiselect_value2|n$ And the checkbox like this:  <input type="checkbox" token="test_checkbox"> <choise value="true">Enable</choise> <change> <condition match="$test_checkbox$=&quot;true&quot;"> <set token="multiselect_value2">$multiselect_value$</set> </condition> <condition> <set token="multiselect_value2"></set> </condition> </change> </input>   That could be made slightly simpler, but that would work. ... View more

There are several ways.   If it will be a consistent number of hours offset for each query, (for example 5 hours) then just subtract the number of seconds involved.  | eval _time = _time - 5*3600     You could also use a method such as the one in this answer  https://community.splunk.com/t5/Getting-Data-In/need-help-in-time-conversion/m-p/471116 Or you could look at my answer and koshyk's answers on this one and see if they can be adapted. https://community.splunk.com/t5/Getting-Data-In/Timezone-and-Timestamp-modification-at-search-report-time/td-p/16659/page/3 Or here  https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-show-local-time-of-the-device-of-that-area/m-p/348658 ... View more