Hi all,
i have noticed that the api search in elastic using the console is really fast compare to how the kibana search. I was wondering if there is any difference in how kibana KQL search with the text box and the api search in the console.
And if there is a difference can you make a box so that we can input the json api query in the SIEM and then SIEM will call the api directly to query for data.
I thinks it will be much faster than how KQL search.
Thanks for your time
Hello @lusynda. The Elastic SIEM is doing a bit more work than just one KQL search. When you are in the Elastic SIEM, the KQL search is filtering multiple queries on the page for each data widget or table that you see. The KQL search is only part of the query. Each widget will have an inspect button in the top right corner
. The timeline inspect button is in the top right actions dropdown. This will bring up a modal, telling you the index patterns queried, and the request tab shows the full query that can be run in the console. This includes the KQL query.
We have a new "Data Sources" feature in 7.10 that gives the user control over the index patterns queried. You may be seeing faster performance in the console because you are only querying across one index pattern. By narrowing which index patterns are queried, you will see a performance boost.
Here is what this feature looks like on the Hosts page:
And here it is in Timeline:
Please let me know if any of this helps.
Best,
Steph
Yes thanks you for your answer.
I do have some other things to ask if you dont mind.
So can SIEM query do regex search like the api can.
It'd be easier if you could create a new topic on the other questions 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
