Video Screencast Help

Query writing - referencing Description and Raw Event column

Created: 20 May 2009 • Updated: 21 May 2010 | 5 comments
novadean's picture
This issue has been solved. See solution.

I notice that when writing queries that certain columns for example (Description and Raw Event) are only available on 'Filter Within Result' when displaying events line by line compared to a query that displays a grpah. Is there anyway to reference these two columns in Filter Criteria? It would be nice to be able to use these two columns when creating a chart/graph.

Comments 5 CommentsJump to latest comment

novadean's picture

Whoops -- just got an explanation from Symantec:

They are not referenced because they can not be indexed due to their nature.

Laurent_c's picture

As pointed out the first filter is done on the indexing of the event, so event with unique field (like description) cannot and shoul dnot be indexed

The second filter ("Filter within Result") is less performant as it is a console based filter.

So you need to filter as much as possible on the first one and then apply the second filter for optimum performances on your query.

Clément Herssens's picture

I agree that you can improve the performance by executing a second query within the results. Is there a reason why you can't filter within results when doing a "Event Counts by Field" query? In some situations you only want to consider events matching specific criteria which can not necessarily be deduced from indexed fields.

Laurent_c's picture

when you query a Event count by field you are querying a summary table so i guess the filter works differently.

lukaszfr's picture

The result of Top N by field query consists only two columns - event field selected in the beginning and amount of events for every value found in that event field so scope of values to filter is rather small.