I have a dashboard that has 9 searches. I currently extract my graph from 6 Summary Indexes. 5 of the Summary Indexes come from the same data set and 3 of the searches is the exact same data except that it is grouped.
0) I have done a pre-search for the 3 pairs of data. (aka I have figured out how to methods, barely)
1) I would like to get this to 3 searches so that normal users can display the dashboard. What constitutes a search: a data base search? or does the post search also count?
2) I did some rough counts, If I merge the 5 summary-indexes into one, there will be about 300 events per minute. Does this help or hurt the dashboard?
3) Some of the charts I can only get 2 hours worth of data to display instead of 4 which the others can get, I don't know where I am running into this limitation. (I get everything when I do the origional dashboard with 9 searches.)
4) when doing a pre-search on the dashboard can you do a double pre-search? This would help the pairs of data I refered to above.
I feel that I am running into some road blocks as I am transfering my view form simple to optimized.
What I did pre-searches so that I can display the data in two ways, a sumary and a more granularity. I was able to cut my searches in half. I also ran into the limit of the graphing display, so instead of setting a time limit, I let the graphing program do more of the work. I was also running into the 10,000 limit for GUI
I was also able to merge several time ranges into one view by use of a time selector.
In general I learned a bit since I posted this, and wanted to close the question.