Hi guys,
Maybe I have a stupid question. I'm just wondering which approach has better performance. An example scenario is like this...
I wanted to monitor several Windows events, let's say event id 4780, 5376, 5377.
Approach 1, save a search of all the event ids, build visualize metrics based on the saved search by adding a filter to select the desired event id.
Approach 2, save 3 separate searches, each search binding to 1 event id, build visualize based on each saved search.
Hi,
there is absolutely no (noteworthy) performance difference in those 
In the end the first approach would give you a filter for that single id and another filter for all the 3 ids. Elasticsearch is clever enough to find out really quickly, that it only needs to filter for that single id.
Approach two will just have that filter for the single id (coming from the saved search) and will also just filter down to documents of that id. So the only different that really needs to be done, is that Elasticsearch needs to figure out, that id in [4780, 5376, 5377] AND id == 4780 is the same as id == 4780 and that's not much of a performance overhead Also there is a very minor difference in the way that will be handled in the browser to build that request, but also there the performance difference is absolutely not noteworthy.
From the example you have given, it sounds like you even wouldn't need a saved search? Can't you just simply add the filter to the visualization filtering down to that specific id (or does the saved search has other filters in it, that should be the same for all ids)?
Cheers,
Tim
Thanks Tim. Great clarification. I'm building some metrics to monitor key Windows event and the question came up to my mind suddenly. And as you mentioned I even wouldn't need a saved search. I'll give it a try. Thanks.
If you don't need the saved search that's actually the fastest solution
Not for elasticsearch which will still see the same query as in use-case 2 above, with just an id == 4780 filter, but a saved search is stored in a different document, in the .kibana index than the actual visualization configuration. So basically when you link to a saved search, Kibana needs to request two documents from - the so called - Saved Object service, that will load them from the .kibana index. So without the linked search you actually only need one. That's slightly faster on the frontend side... so to be fair, usually also not THAT much of a difference
But if you don't need it, rather just attach the filter to the visualization directly.
Cheers,
Tim
PS: Please feel free to come back with any more questions, that we can assist you with.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.