Can anyone make some recommendations in speeding up this search? It might be slow due to the large number of records, around 1/2 million.
index=charlesriver sourcetype=windows_events "An account was successfully logged on." | bucket span=1d _time | stats count first(_time) as Date by ADDomain, ADLogon, ADWorkstation, _time | eval Date=strftime(Date,"%m/%d/%Y") | eval ADDomain=case(ADDomain=="CRDWELLS","WELLS",ADDomain=="INTENSIVE","RACKSPACE",ADDomain=="CRDRS","CRD",1==1,"OTHER") | table Date, ADDomain, ADLogon,ADWorkstation, count | chart sum(count) over Date by ADDomain