Our app leverages summary indexes to get good performance from data-intensive dashboards across millions of events.
But summary indexes are not perfect-- for example, when the app is first installed, dashboards will be blank for a while (lousy out of the box experience), and for really fine-grained reporting (e.g. last 5 minutes) the summary indexes won't be useful.
What is the best practice or pattern for toggling between summarized and non-summarized dashboards?
It might be worthwhile request to have a new TimePicker module that allowed one to specify a different searches or search templates or HiddenSearches depending on the size of the range that was selected. That would allow this problem to be solved by the UI/view developer quite cleanly.
Oh, one more possibility is to just display the searches from a the summary, and modify the drill-down from the summary charts and tables to go to the raw data. This can be done in the view XML. It obviously only works if you've only got (raw, summary), and doesn't work if you have (raw, per-minute summary, hourly summary, daily summary) data.
re: "just tell users to go to one..." how do you set up the navigation menus? re: "new TimePicker module", do you mean a module that we can build into an app, or something that Splunk product must include?
Well...I just had two different views in the menus, and you tell the users to pick the one that's appropriate (more detail vs faster). The module, well, in theory you can supply your own, but that type of customization is unsupported in the Splunk product. However, my thought was that this is a common enough problem that it is something Splunk should include in the core product. It doesn't require changes in anything underlying and is probably useful for other things.