How do I optimize filtering of Accelerated Report?

I am trying to track user/machine logons. To help with this, I created the following query as an accelerated report: (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*.mydomain | eval acctN=mvindex(Account_Name,1) | search acctN=* | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName As an accelerated report this runs quite quickly for most time ranges: a month gives me 23K stats in 12 seconds 90 days gives me 55k stats in 50 seconds. However a YTD is brutal I figure that I could use this report to do quick research on users/logons that I might see in a new computer/logon alert (to be created). So I built a dashboard with inputs for time, user, ComputerName and tried this: (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=.mydomain TargetAccountName=$user$ ComputerName=$computer$ | eval acctN=mvindex(Account_Name,1) | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName But that runs slower, the one month query goes to 45 seconds. So it looks like the acceleration statistics are at a higher level than the windows index. So then I tried moving my search term to the end. (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=.mydomain | eval acctN=mvindex(Account_Name,1) | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName | search user=$user$ ComputerName=$computer$ This runs way better, one month in 5 seconds - which is faster than reporting on a month of everything. But that's even more confusing, since according to the query, I had to summarize a month of everything before I could filter for user and computername. So how are Accelerated Reports indexing their summarized data? And what/why is the best way to filter that data? (also, would this have been a better case for a summary index?)