To be absolutely honest with you, whenever I see such nested subsearches I get the impression that someone was trying to "think SQL" and implement it in Splunk. It doesn't work this way (or at least not very efficiently). So please tell us what you want to achieve (not how you're trying to do it), maybe we'll think of something better 🙂 And tell us what data you have (some examples, anonymized/obfuscated if need be, would be helpful). EDIT: Oh, and don't use conditions like Attributes.KeyValuePairOfstringanyType{}.new_circuit.Name="*DC*" in your initial searches. Since they contain wildcard at the beginning of your search term, Splunk will have to literarily scan all events from the defined timerange to find your matching events since it cannot use its internal indexes to match them.
... View more