Hi,
I have two identical queries on the dashboard, the only difference - one is based on previously defined search results. They produce very different charts however, here is the code and screenshots:
<form>
<search id="events_search">
<query>
index = "*" | fields *
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_token">
<label>Time</label>
<default>
<earliest>-48h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Errors (Based on events_search query)</title>
<search base="events_search">
<query> search level IN ("error", "fatal") | timechart count
</query>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>
<title>Errors (Not based on any existing query)</title>
<search>
<query> index = "*" | fields * | search level IN ("error", "fatal") | timechart count
</query>
<earliest>-48h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
So I wonder if it is a bug or some sort of known behavior?
1 Solution
