Hi There I am new to splunk and trying to figure out a way to make the below search faster :  index=pan_logs sourcetype="pan:threat" | search NOT (client_ip=xxxx OR client=xxxx OR client_ip=xxxx OR client_ip=xxxx OR client_ip=xxxx OR client_ip=xxxx ) | eval field=split(_raw, ",") | eval type=mvindex(field,3), subtype=mvindex(field,4), src_ip=mvindex(field,7), dst_ip=mvindex(field,8), nat_src=mvindex(field,9), nat_dst=mvindex(field,10), rule_name=mvindex (field,11), app=mvindex(field,14),src_zone=mvindex(field,16),dst_zone=mvindex(field,17), ingress_if=mvindex(field,18), egress_if=mvIndex(field,19), log_action=mvindex(field ,20), src_port=mvindex(field,24), dst_port=mvindex(field,25), proto=mvindex(field,29), action=mvindex(field,30), url=mvindex(field,31), threat_id=mvindex(field,32), cat =mvindex(field,33), sev=mvindex(field,34), direction=mvindex(field,45) | search subtype!=url action=allowed OR action=alert OR action=sinkhole url!="\"saw.dll\"" | table _time type subtype src_ip dst_ip nat_src nat_dst rule_name app src_zone dst_zone ingress_if egress_if log_action src_port dst_port proto action url threat_id cat sev direction index | fields "_time", "action", "app", "cat", "direction", "dst_ip", "dst_port", "dst_zone", "egress_if", "index", "ingress_if", "log_action", "nat_dst", "nat_src", "proto", "rule_name", "sev", "src_ip", "src_port", "src_zone", "subtype", "threat_id", "type", "url" Thank you so much in advance . ... View more