I have a dashboard with multiple line charts showing values over time. I want all charts to have the same fixed time (X) axis range, so I can compare the graphs visually. Something like the fixedrang...
See more...
I have a dashboard with multiple line charts showing values over time. I want all charts to have the same fixed time (X) axis range, so I can compare the graphs visually. Something like the fixedrange option in the timechart command. However, I use a simple "| table _time, y1, y2, yN" instead of timechart, because I want the real timestamps in the graph, not some approximation due to timechart's notorious binning. To mimic the fixedrange behavior, I append a hidden graph with just two coordinate points (t_min|0) and (t_max|0): ...
| table _time, y1, y2, y3, ..., yN
| append [
| makeresults
| addinfo
| eval x=mvappend(info_min_time, info_max_time)
| mvexpand x
| rename x as _time
| eval _t=0
| table _time, _t
] This appended search appears very cheap to me - it alone runs in less than 0.5 seconds. But now I realized that it makes the overall search dramatically slower, about x10 in time. The number of scanned events explodes. This even happens when I reduce to: | append maxout=1 [ | makeresults count=1 ] What's going on here? I would have expected the main search to run exactly as fast as before, and the only toll should be the time required to add one more line with a timestamp to the end of the finalized table, no?