Hi, I did not find answer on the Internet:( I would like to know - from cluster utilization perspective - if depends on order of fields in query. Specifically, lets say I have index and data below:
"_index": "firewall"
There are more blades sending logs on my firewalls (it means "blade" logs are subset of all logs in index "firewall"), e.g.:
"firewall.blade" : "firewall"
"firewall.blade" : "application"
"firewall.blade" : "ips"
Which query is more effective?
"source.ip" : "10.1.1.2" OR "source.ip" : "10.45.2.5"
("source.ip" : "10.1.1.2" OR "source.ip" : "10.45.2.5") AND "firewall.blade" : "application"
"firewall.blade" : "application" AND ("source.ip" : "10.1.1.2" OR "source.ip" : "10.45.2.5")
Thank you! Jan