Forum Discussion

mergene's avatar
mergene
Brass Contributor
Aug 08, 2020
Solved

Cross Workspace Analytic Rule Performance

Hi,   I have several workspaces containing SecurityEvent table having data. When I perform a union on the workspaces and then do the filtering, calculation, etc., the query consumes too much resour...
  • Ofer_Shezaf's avatar
    Ofer_Shezaf
    Aug 09, 2020

    mergene 

     

    first, search should not be more performant than union, so the difference may be elsewhere. 

     

    As to your question: I can't think of a way to avoid repeating the query, however, I can make it simpler:

     

    let Filter = (T:(EventID:int))
    {
     T | where EventID == 4624
    };
    union (workspace("a").SecurityEvent | invoke Filter()),(workspace("b").SecurityEvent | invoke Filter())

     

    While for a single condition it might not be much shorter, it is still more elegant, and will become much shorter if you have more conditions.

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Aug 09, 2020

mergene 

 

"search in" vs. "union": if you search in a small subset of tables and do "union *", then you might be faster. In general, search (and search in) is much slower: it usually implies "contains" across all fields which is the most expensive query. With union you can use any operator and more directly limit to fields.  

 

Well, you can do search in (SecurityAlert, SecurityEvent) _ResourceId:"127.0.0.1", but then it would be exactly like a simlar union.

 

As to my example: do whatever you like in the function. Just remember to declare any field from the source table you will reference. 

mergene's avatar
mergene
Brass Contributor
Aug 09, 2020
Thanks Ofer! Creating a function and doint an iteration looks very useful.

Resources