| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
...
| Anchor | ||||
|---|---|---|---|---|
|
...
If you use a Finder to open a data table, you can pre-select only the fields with data that is of interest to you. This reduces the amount of data that your browser needs to load into memory. Here's how.
If you have a query already open in the search window, you can use the Field manager tool to pick the fields you want to show or hide. Here's how.
| Anchor | ||||
|---|---|---|---|---|
|
Avoid automatic data type conversions
When comparing a field with a constant and they have different data types, it is recommended to fine-tune the query to avoid the automatic conversions performed by Devo. Even though this is barely noticeable with small queries, it may increase speed and performance with complex queries.
For example, if we have a string and an integer:
eq(string,"123")is faster thaneq(string,123)→ This is because in the first block we are avoiding the automatic conversion that would be performed in the second block (from integer to string).eq(integer,123)is faster thaneq(integer,"123")→ This is because in the first block we are avoiding the automatic conversion that would be performed in the second block (from string to integer).
Useful features
There are some great tools available in the search window that you might overlook. Here we list a few that can really come in handy.
...
This feature offers you a simple way to apply a recently-used time range to other queries without having to repeatedly use the time range selector. Read more about it here.
Other considerations
Once a query’s events have been grouped, there are some limitations you should keep in mind if you want to apply additional operations.
...
Bonus tips
Sparse verses dense
Suppose you have to search for a specific tree in both a sparse forest and a dense forest. The spare forest will have a small number of trees and it will be really easy to spot a special tree. However, the dense forest will have too many trees that could possibly match the one you're looking for; you would have to manually inspect every tree.
This concept directly relates to the frequency of values and the number of events in your searches.
| Info |
|---|
Tip When running a search in Devo, it's best to use sparse terms, that is, a word, a number or a value that is found relatively infrequently. |
Ordering of clauses
The order of clauses is important to achieve optimal performance in your queries. See the following example, where 99% of the logs in the table include the term "INFO". This query:
from application.log.log where toktains(raw, "INFO"), service="test"
...
| Info |
|---|
Tip When adding several |
Be careful when using the Not operation
The Not (not) operation does not use the token index, so it is recommended to push Not clauses down your query and apply additional filter operations before.
| Info |
|---|
Tip Use Not operators as last clauses if you have values you can index on. Otherwise, use them at the beginning of the query if you have to go through every line. |
Use logical operators in the proper order
When using the logical operators And (and), Or (or) and Not (not), it is important to place them properly in the query to get the required results. Always keep in mind the De Morgan's law:
not (A or B) → (not A) and (not B)
not (A and B) → (not A) or (not B)
...