Summary searches occur every 5 mins but for those who need more immediate results can a non-summary search be merged with the summary to fill-in the most recent 5 mins? Would this make a difference in efficiency for a scheduled search that searches an hour back?
index=weblog_summary latest=-5m@m HTTP_RESPONSE="40*" URL="" | append [|search index="weblog" earliest=-5m@m HTTP_RESPONSE="40" URL="*"]
That sounds very much like report acceleration / data model acceleration. Both ways accelerate a search every X minutes and load the most recent minutes on the fly transparently without the user noticing.
As for the question itself, sure - just remember to apply whatever reporting happened to the summary search in the last-five-minutes-search as well.
That sounds very much like report acceleration / data model acceleration. Both ways accelerate a search every X minutes and load the most recent minutes on the fly transparently without the user noticing.
As for the question itself, sure - just remember to apply whatever reporting happened to the summary search in the last-five-minutes-search as well.