Are certain types of searches more expensive than others? Like: NOT something AND "something else"?
In general, queries that involve more search terms are slightly more expensive to run, but the Sumo Logic search engine handles them quite efficiently so the difference is not appreciable. The most important factors affecting the time to complete a query are the length of the time range for the search and the number of matching results.
The best practice is to initially narrow your search results by using a specific keyword expression and to limit the time range to start. You can make the search query even more specific by extending the keyword expression with Boolean operators (like OR and NOT) or by using metadata like Source Category or Source Host in your keyword expression.
Please sign in to leave a comment.