Hi, I am trying to create a search the looks for specific signatures detected on the IPS and then returns all related firewall and proxy logs, grouped by each related set of events. I have written the following query. It is returning the correct results but taking hours to run and looks like the time fields are not being parsed to the outer search: (index=ips OR index=firewall OR index=proxy)      [search  index=ips signature_id  IN (25007, 25008,25009)      | eval earliest=_time-300      | eval latest = _time+60      | fields earliest latest src_ip] transaction src_ip   The search is run over 90days. The inner search completes after around 30sec and returns 6 results. I am wanting to run the outer search for each of the six results (5min before the IPS event to 1min after). While the results a get are correct, the search took 10hrs to run. If I manually enter the earliest and latest and src_ip  into the following each result only takes around 2min: (index=ips OR index=firewall OR index=proxy) earliest=X latest=Y src_ip=Z transaction src_ip   So I think the outer search is being run 6 times for either 'All Time' or 'Last 90days'. Can anyone assist me with getting the earliest and latest to parse so that it only runs the query on a 6min range for each result of the inner search?   Thanks very much. ... View more