The following example is pretty fast:
| from datamodel:rc-stats | search _time > 1519966560 _time <= 1519970160 | stats count
Why the next two similar queries are so slow? The slowness also occurs if we evaluate values before the search.
| from datamodel:rc-stats | search earliest = 1519966560 latest = 1519970160 | stats count as cnt
| from datamodel:rc-stats | search _time > -4h@h _time <= -3h@h | stats count as cnt
We need to calculate the time ranges before doing the search on the datamodel but if we use anything that is not a numeric value, the search does a full scan which is pretty slow.
Is there a way to do a search using calculated time ranges that is as fast as the first query?
Example: (the real query uses more complex ranges)
| from datamodel:rc-stats
| eval now = now()
| eval lastFourHours = now - (4 * 3600)
| search _time >= lastFourHours
| ...
... View more