Moreover, for "bf=1" the search engine splits it into
base lispy: [ AND 1 bf ]
This is because of the default segmentation of underscore (_) character in SPL.
This means it checks for "bf" and 1 in events, rather than key value pair. These values could appear in lots of events individually at the first level filter, and hence the search is likely to take lot of time in narrowing down the results.
You could use TERM("bf=1"), which will translate to
base lispy: [ AND bf=1 ]
This would do the exact match of the listed string and hence the results would be way more faster.
Sample example:
index=_internal active_searches
This search has completed and has returned 1,000 results by scanning 88,524 events in 16.991 seconds
base lispy: [ AND active index::_internal searches ]
index=_internal "active_searches"
This search has completed and has returned 1,000 results by scanning 88,668 events in 14.016 seconds
base lispy: [ AND active index::_internal searches ]
index=_internal TERM("active_searches")
This search has completed and has returned 96 results by scanning 96 events in 2.234 seconds
base lispy: [ AND active_searches index::_internal ]
... View more