Hi,
I have multiple panels that need to run timecharts like these:
- something | table _time,A,B</query> | search A="1"| timechart B
- something | table _time,A,B</query> | search A="2"| timechart B
- something | table _time,A,B</query> | search A="3"| timechart B
I want to optimize my dashboard for performance by using a base search, so I tried this:
<search id="base>
<query> something | table _time,A,B</query>
</search>
....
<panel>
<chart>
<search base="base">
<query>search A="1"|timechart count by B</query>
</search>
</chart>
</panel>
...
<panel>
<chart>
<search base="base">
<query>search A="2"|timechart count by B</query>
</search>
</chart>
</panel>
...
<panel>
<chart>
<search base="base">
<query>search A="3"|timechart count by B</query>
</search>
</chart>
</panel>
It works great on short times (24h) but with wider ranges (30 days) I lose events because of the base search limit (probably the default, 500,000).
Is there a way I can use base search for this?
I'm using Splunk Enterprise version 8.1.3.
