Skip to main content

Hi everyone!

does anyone know if it makes any difference how you order the search parameters in a search query?

 

example:

event_id=1234 event_channel="Security"

vs.

event_channel="Security" event_id=1234

 

 

Hi Markus

From my experience it does make a difference as to performance how you structure your queries.

I always consider the approach like

repos (preferably using repo selector and not ‘repo_name=xxx’

device_name

event_channel

event_id

 

 


Hi Markus!

 

I just wanted to ask the exact same question. 

For me this is a possible performance improvement for LogPoint: To consider the parts of the query independently and re-order them in the fastest way. If  I--for example--do a very time-consuming search for a feature in the raw log and afterwards filter out easily distinguishable fields as the repo (as Hans Henrik suggested), there could be a large difference. I am considering to insert this as an idea for improvement.

 

Best regards 

 


Reply