Here's the explanation:

"Sometimes you end up with a dashboard running lots of different searches but they all seem annoyingly similar.

One advanced technique is to run a single search, then use 'postProcess' to take the data in N different directions for N different charts.

Note: Read carefully. If set up improperly your results can be misleading.

It's tempting to have your base search just be the 'events' part of the search, and then have your postProcess module's each have different reports. like "timechart sum(kb) by series", or "chart avg(eps) over series".

However that can get you into trouble because splunk doesnt do unnecessary work, and if the search contains no indication that anyone wants statistics for a given field, it wont collect them. Or what's almost worse, it might collect incomplete statistics. In the end you might find that your postProcess always seems to return 0 results, or it seems to return results that on closer inspection are not correct. (for the advanced reader, the naive approach also breaks map-reduce a bit.)

The solution is to use the stats command in your base search. Stats will do all the work and get what Sorkin (aka the Sorkinator) calls the 'sufficient statistics'. Then later your postProcess searches will have all the raw materials they need.

Specifically, the search has these clauses on the end:

| bin _time span=5min | stats count by series, eps, kb, kbps, _time

The stats count with the various group-by clauses is the important part. The bin command is further optimizing our base search so that we dont have one row per timestamp, but one aggregate row per 5 minute bucket. Check out all the stuff on this page that we're able to do from just one search.

read through the XML source for this view in Manager to see how it works for yourself."

Are you using _time bins in the searchTemplate? ui_example app has very good reasoning for this situation.