A user has a dashboard made of multiple searches all based on the last 24 hours of a single very large index.
Some panels should show stats based on the full 24 hours, others should only show stats based the last 5 or 15 minutes.
To save resources and speed it up, I'd like to run a single search that returns events for the past 24 hours, then run a sub-search on that result to retrieve the most recent 5 minutes, or 15, or....
How can I do that ?
You need a 24-hour base search and then a few post-process searches for each trimmed-down situation:
i'm under the impression that summary indexing is brittle if you run the risk of events coming in to the index "late". this index is populated by HFs running on a syslog receiver farm and it's not unusual to lose connectivity between the HF and the index cluster for a couple hours.
|append and run the search again as a subsearch with a hard coded time range using
earliest=-15m latest=now and your time picker could be 24hrs or you can leave it in your search as well. whatever field you are using to calculate on will need to be different than your main search for instance
|"search" |stats count(a) as ex1 |append[|search "search' earliest=-15m latest=now |stats count(a) as ex2] Keep in mind there is a default subsearch timeout of 60s.