Hi - I'm new to Splunk I am having a performance issue that causes a timeout over longer time spans on a base search I'm performing on a dashboard that uses a join. I have tried replacing the join with the suggested methods found here Here,  Here and Here. Unfortunately, I am unable to get it to work correctly and output the correct value I am getting from my join search. Perhaps this is because of the spath/rex extract commands I am using? Note my actual search uses tokens however I have replaced them with asterisks to avoid any confusion.  Any help would be much appreciated! My Code is:     index=ivr_app sourcetype="CEM-AppLog" rosterInfo | rex "^(?:[^{]*){7}(?P<my_data>.+)" | spath input=my_data output=vq path=TOD | spath input=my_data output=steps path=steps{} | spath input=my_data output=type path=type | spath input=my_data output=virtualQueue path=virtualQueue | spath input=my_data output=last_step path=steps{} | eval res = mvindex(last_step,mvcount(last_step)-1) | spath input=res output=name path=name | spath input=res output=type path=type | rex field=_raw "SN_CONTEXT_ID (?P<SN_CONTEXT_ID>[^\s]+) produced" | dedup SN_CONTEXT_ID | join type=inner SN_CONTEXT_ID[ search index=ivr_app "pipeline at completion" AND CALL_FLOW AND DNIS EXCHANGE NOT "NPS" NOT "TFRDEST" NOT TFRNUM NOT "SN_CONTACT_TYPE=Transfer" NOT "SN_TARGET_TYPE=Release" AND "SN_CONTACT_REASON=" AND SN_CALL_FLAGS="*" OR NOT SN_CALL_FLAGS="*" | dedup SN_CONTEXT_ID CONNID | foreach SN_CALL_FLAGS [ eval <<FIELD>> = if(isnull(<<FIELD>>) OR len(<<FIELD>>)==0, "NO_CALL_FLAG", <<FIELD>>) ] | search CLI="*" AND CONNID="*" AND SN_CALL_FLAGS="*" AND DNIS="*" ] | search type="Agent" | stats count as countAgent     ... View more