Describe the bug
If a query has multiple ORs and values are coming from a bloom filtered table, the execution time significantly slows down.
For example, one query took approx. 10 minutes while getting tokens took approx. 7 minutes. It might have been quicker to search without bloom filter feature.
Expected behavior
Bloom filter should help with speeding up search times but in this case it seems like it's slowing it down.
How to reproduce
Use a bloom filtered table and then run a similar query like this:
index=foo earliest=03/01/2026:00:00:00 latest=03/31/2026:23:59:59 keyword1 OR keyword2 OR keyword3 OR keyword4 OR keyword5 OR keyword6 OR keyword7 OR keyword8 OR keyword9 OR keyword10 OR keyword11 OR keyword12 OR keyword13 OR keyword14 OR keyword15 OR keyword16 OR keyword17 OR keyword18 OR keyword19 OR keyword20 OR keyword21 OR keyword22 OR keyword23 OR keyword24 OR keyword25 OR keyword26 OR keyword27 OR keyword28 OR keyword29 OR keyword30 OR keyword31 OR keyword32 OR keyword33 OR keyword34 OR keyword35 OR keyword36 OR keyword37 OR keyword38 OR keyword39 OR keyword40 OR keyword41 OR keyword42 OR keyword43 OR keyword44 OR keyword45 OR keyword46 OR keyword47 OR keyword48 OR keyword49 OR keyword50 OR keyword51 OR keyword52 OR keyword53 OR keyword54 OR keyword55 OR keyword56 OR keyword57 OR keyword58 OR keyword59 OR keyword59 OR keyword60 OR keyword61 OR keyword62 OR keyword63 OR keyword64 OR keyword65 OR keyword66 OR keyword67 OR keyword68 OR keyword69 OR keyword70 OR keyword71 OR keyword72 OR keyword73 OR keyword74 OR keyword75 OR keyword76 OR keyword77 OR keyword78 OR keyword79 OR keyword80 OR keyword81 OR keyword82 OR keyword83 OR keyword84 OR keyword85 OR keyword86 OR keyword87 OR keyword88 OR keyword89 OR keyword90 OR keyword91 OR keyword92 OR keyword93 OR keyword94 OR keyword95 OR keyword96 OR keyword97 OR keyword98 OR keyword99 OR keyword100 OR keyword101 OR keyword102
| search EVENT_NAME
The original query used also rex and stats so it might be good to test the query with them too.
Screenshots
Software version
pth_10: 12.1.1-1.noarch
Desktop (please complete the following information if relevant):
Additional context
Describe the bug
If a query has multiple ORs and values are coming from a bloom filtered table, the execution time significantly slows down.
For example, one query took approx. 10 minutes while getting tokens took approx. 7 minutes. It might have been quicker to search without bloom filter feature.
Expected behavior
Bloom filter should help with speeding up search times but in this case it seems like it's slowing it down.
How to reproduce
Use a bloom filtered table and then run a similar query like this:
The original query used also
rexandstatsso it might be good to test the query with them too.Screenshots
Software version
pth_10: 12.1.1-1.noarch
Desktop (please complete the following information if relevant):
Additional context