@gcusello  I'm not entirely sure what you're referring to to be honest. Our subsearch is well under 50k results so that shouldn't be the issue. But I appreciate you trying to assist. I'll see if I can puzzle it out. ... View more

@gcusello  Yeah it's odd. Neither of those 2 return any stats results (I checked to make sure I copied the whole query, updated as appropriate for indexes etc.) The original query is only giving 20 entries under stats (and far less results) which used to work so that's also weird. What we've been doing is something along the lines of this:   index=test OR index=test2 source="insertpath" ErrorCodesResponse=TestError TraceId=* | fields TraceId | append [ search index=test "Test SKU" AND @mt !="TestAsync: Request(Test SKU: )*" | fields TraceId, @t, @mt, RequestPath | where isnotnull('@t') AND isnotnull('@mt') AND match('@mt', "Test SKU: *") ] | eval date=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%Y-%m-%d"), time=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%H:%M") | stats values(date) as date values(time) as time values(@mt) as message values(RequestPath) as Path by TraceId | where isnotnull(date) AND isnotnull(time) AND isnotnull(message) | table date, time, TraceId, message, Path This seems to work better than our old search but I'd prefer to try and figure out yours as it's not using those appended searches. ... View more

@gcusello  Thanks for replying! That pull results, but it's doesn't populate anything in the statistic tab, which is our main issue (old query shows 20, alternate one that we don't really want to use shows 1700). The total results are around 38k as well so we're not going over, but definitely I think correcting the search issue is a good idea. Any ideas about the statistics piece? ... View more