Thanks Runals for the tips, I tried with the TERM() but it won't help much, I think it's because almost more than 95% of the syslog have the keyword and all the search is within the same index since I only have one index with all the data inside it.
Below are my result, and I find that by elimiating the search query:, I got the fastest time to complete:-
sourcetype="syslog" TERM(query:) earliest=-15m | timechart count by host 03:15
sourcetype="syslog" earliest=-15m | search query: | timechart count by host 02:29
sourcetype="syslog" earliest=-15m | timechart count by host 1:41
However, some of the events are without the query:, therefore, in reality, I can't eliminate the query: in the search string.
... View more