Indexed field case 1 - rare instances of a common term

Let's say your log captures process exit codes. If 1 represents a failure, you probably want to be able to search for this efficiently. Consider a log that looks something like this:

4/1/12 6:35:50.000 PM process=important_process.sh, exitcode=1 

It would be easy to search for this log entry using exitcode=1. The problem is that, when working with extracted fields, the search is effectively reduced to this:

1 | search exitcode="1" 

Since the date contains 1, this search would find every event for the entire day and then filter the events to the few that we are looking for. In contrast, if exitcode were defined as an indexed field, the query would immediately find the events, only retrieving the appropriate events from the disk. Please note that binding an indexed field to any time (stamp) is risky. This wreaks havoc on data integrity and is not considered best practice.