Query Optimization for Better Performance
Besides narrowing the time span for the query, the best way to improve performance is to leverage the index, using the CONTAINS operator.
For example:
sys_body CONTAINS 'string'
quickly finds all the events that contain the token 'string' by using the index.Note: The index only stores full words called tokens, and ignores characters such as punctuation signs, spaces, and so on.
Even if your query is based on other columns or operators, you can accelerate it if you know some tokens that appear verbatim in the events you are looking for, and add them to your query with the CONTAINS operator.
For example, the following query works as is:
USE Microsoft_Windows | ll_actionID = 4291However, since we know that the token 4291 appears in the events we are looking for, we can get faster results by typing:
USE Microsoft_Windows | ll_actionID = 4291 AND sys_body CONTAINS '4291'Copyright © Cloud Software Group, Inc. All rights reserved.