HI!
I have a search which runs daily and results in a single number.
it looks more or less like:
search foo | dedup bar | stats count
I would love get a nice pretty chart of the result over say the last 90 days.
i could do something like this:
search foo | eval day=floor(_time/(60*60*24)) | dedup day bar | stats count by day
and run it over the time range i'm interested in (say 90 days),
but i'd really prefer not re-run this moderately expensive search on data it's already been run on.
any tips ?
also fwiw,
so far i've only used the web UI, and would prefer to stay in that space,
but if scripting is required, then maybe i'll have to go there.
tia,
Orion
Have a look at Summary Indexing
You could store the results of your daily search in a summary index, and then run your 90 day search against the summary index.Summary index data does not count towards your license consumption.
And just to offer an alternate to summary indexing ..... your chart could reference a scheduled search that counts "bar" per day over the last 90 days. Each time the chart loads it will use the results from the last time the scheduled search ran, rather than executing the search inline each time.
Schedule this search to run daily(included the time range in the search string, but you can also specify it when setting up the scheduled search) :
index=foo earliest=-1d@d latest=@d | bucket span=1d _time | stats count as "daily_count" by bar, _time
And send the results to a summary index :
summary_foobar_daily_count
And then every 90 days you can run a search on the summary index to give you a time based chart :
index=summary_index_daily_count earliest=-90d@d latest=@d | timechart span=1d first(daily_count) by bar
so after reading the man page on indexed search results, i'm not entirely sure what i should make the search look like. my raw search is this: "search foo | rex (?
interesting, thanks. i'll give that a shot.