Hello, I am running the following search via the API: search index=juniper sourcetype=juniper:junos:firewall "3389" | rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<src_port>\d{1,5})-\>(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<dest_port>\d{1,5})" | eval src_ip_class=if((cidrmatch("192.168.0.0/24",src_ip) OR cidrmatch("172.16.0.0/12",src_ip) OR cidrmatch("10.0.0.0/8",src_ip)),"private","public") | where dest_port=3389 and src_ip_class="private" | head 5    I am trying to run it in two ways: With earliest=-90d in the first clause of the query (right after the "3389") With earliest_time=2022-01-31T00:00:00.000Z and latest_time=2022-06-28T23:59:59.999Z that I am passing via the API The first method returns many results while the second returns none.   When querying the search status, I am seeing a huge difference in the very first stage of the query: "command.search": { "duration_secs": 21.298, "invocations": 111, "input_count": 0, "output_count": 266474 }  vs "command.search": { "duration_secs": 2.329, "invocations": 52, "input_count": 0, "output_count": 98835 }   I have confirmed that the earliestTime and latestTime shown in the search status are correct. I have also checked for time skews between _time and indextime and have found none. Changing earliest_time to index_earliest also did not help. What can account for this difference? ... View more