hm, my question seems very similar to this one: http://bit.ly/M4yZl2 , but differs in the details.
i have an extant regular search i'd like to convert to a summary index search.
it looks more or less like this:
search foo | transaction maxspan=2h my_key | timechart count by bar
the trick is that we'd like to run this every 5 minutes, while maintaining the transaction maxspan of 2 hours.
so i'm not sure what the schedule for the summary index should be.
the clear choice is to schedule it every five minutes with earliest = -125m and latest = -5m,
(thanks to lguinn for the earliest/latest tip, here: http://bit.ly/L2Q4yS).
my concern is that each 5 minute span is now being searched 24 times, and presumably indexed that way as well,
and i don't know how this may affect the timechart on the summary index.
when i scheduled the summary for every 5 minutes with earliest = -10m and latest = -5m,
i got distinctly different results than from the non-summarized search. which makes sense if the transactions are being limited to 5 minutes.
naturally i'll just try a 2-hour search every 5 minutes and compare the summarized search to the non-summarized one,
but it would be great to hear any theory or best-practices around this situation.
tia,
orion
... View more