Speed up your searches, cut noise, and stay lean. Here’s how:

1. Always Specify the Index

index=firewall host="fwlog.bham.ac.uk"

2. Tighten the Time Window

earliest=-15m latest=now

3. Filter Early

index=fwlogs srcip=1.2.3.4 action=allow

4. Limit Fields

| fields srcip dstip action

5. No Leading Wildcardsabc* ❌ *abc

6. Prefer tstats on Indexed Data Way faster on large sets.

7. Use table for Display Only Not for filtering.

8. Replace join with Lookups More efficient, less painful.

9. Trim the Output

| dedup srcip  
| head 100

10. Schedule Heavy Lifting Use saved reports, summaries, or accelerate models.

Cut waste. Search smart. Your license will thank you.