@EPitch I don't believe there is a break on condition function to abort the search, but what you could do, is to turn on sampling at an appropriately large ratio so you run the search on a subset of the data. This will be quicker - if you get >10 then you don't need to re-run - but if you get <10, you will need to re-run at a lower sampling ratio. I'm not sure this solves the problem in that if you don't expect or want >10 then you will always end up running the search with 1:1 ratio. The other alternative is to craft your search criteria to use the TERM() directive if possible and if these data fields can be reduced to TERM elements then you can even use tstats. See this .conf presentation  https://conf.splunk.com/files/2020/slides/PLA1089C.pdf So maybe you can do  index=blah sourcetype=blah (TERM(name=Name1) TERM(ip=IP1) TERM(id=id1)) OR... but you will have to know your data well to know if the terms exist as real terms in the data and you need to understand major and minor breakers in the data. If all the search criteria can be converted to TERM then you could do | tstats count where index=blah sourcetype=blah (TERM(name=Name1) TERM(ip=IP1) TERM(id=id1)) OR... by PREFIX(name=) PREFIX(ip=) PREFIX(id=) | rename *= as * ... View more