Hi!

I would like to ask about the timemodifier.

I have a following search including subsearch,

index=hoge [ search index=hoge _index_earliesst=-1d@d _index_latest=@d | stats earliest(start) as earliest latest(stop) as latest by field | eval earliest=substr(earliest,5,2) . "/" . substr(earliest,7,2) . "/" . substr(earliest,1,4) . ":" . substr(earliest,9,2) . ":" . substr(earliest,11,2) . ":" . substr(earliest,13,2) | search conditionA | eval latest=substr(latest,5,2) . "/" . substr(latest,7,2) . "/" . substr(latest,1,4) . ":" . substr(latest,9,2) . ":" . substr(latest,11,2) . ":" . substr(latest,13,2) | fields field earliest latest | format "(" "(" "" ")" "OR" ")" ]

My purpose is to search the events that meets the conditionA that were indexed the previous day and pass the earliest and latest time of each field to the main search.

However, when the number of events should the main search returns are 5000 , it scans more number of events.

For example, field earliest latest fieldA 1/25/2014 00:00 1/25/2014 01:00 3 records exists fieldB 1/25/2014 02:00 1/25/2014 02:00 5 recoreds exists fieldC 1/26/2014 00:00 1/26/2014 01:00

• my latest event in this record is 1/25/2014 01:50:00

if I expect the subsearch to return (fields="fieldA" earliest="1/25/2014:00:00" latest="1/25/2014:01:00") OR ( field="fieldB" earliest="1/25/2014:02:00" latest="1/25/2014 02:00") , I expect the main search to scan only 8 records, But it seems that it scans the event more than I expect.

Is the timemodifier not working corrctly if you concatenate with OR's?

I have added a screen shot where the scanned events are increasing although the mathing events are finished.

Thanks, Yu