Your first search string is the more efficient of the two, as it's best to exclude as early as possible. However, to make the second example work, replace
And extension!=NULL
with
isnotnull(extension)
This is because where uses eval expressions, one of which is the function isnotnull . In your second example extension!=NULL is actually interpreted as <fieldA> is not equal to <fieldB> (where <fieldB> is a non-existent field called NULL).
For reference, see the documentation on Informational Functions (http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/InformationalFunctions)
... View more