If the time ranges are disjoint and there's a large gap between them, definitely use append for each time range. Currently (version 4.2), if you have multiple time ranges specified in your search, you'll find that Splunk in fact will scan over "all time" in your indexes, which, yes, would be remarkably inefficient (if you want two disjoint weeks worth of data, but your index contains a couple of years, that's bad). Using append will run each time range in a separate search, but each one will only search the limited range, so the overhead is only that of launching one search. (You do get other disadvantages, like having to remember to specify a higher maxtime and timeout and maxout parameter if your individual subsearches might be larger.)
... View more