Hello,
We have one search search that pulls back a large set of data for 30 days and is accelerated. In planning, I was under the assumption that Splunk would attempt to use the accelerated search to help speed up additional similar searches but it does not appear to.
Here is the original search:
index=cerner Application=powerchart OR Application=snsurginet OR Application=firstnet OR Application=phamedmgr OR Application=saanesthesia | timechart avg(ResponseTime) by TriggerName useother=f
But then In my dashboard I try to filter this down further on host, TriggerName, App, etc by passing in searches similar to the one accelerated through a drop down hoping that splunk would recognize it to be similar and to take advantage of the acceleration but it doesn't. For example one of my new searches would be: index=cerner host=h1* Application=powerchart TriggerName="USR:PWR-Application Startup" | timechart avg(ResponseTime) by TriggerName | addtotals. Still the same concept but just narrowed down. Essentially I was trying to make this dynamic without having to make 20+ saved accelerated searches.
Any ideas on how this could work or am i looking at it from the wrong angle?
Thanks!