Forum Discussion

mergene's avatar
mergene
Brass Contributor
Aug 08, 2020

Cross Workspace Analytic Rule Performance

Hi,   I have several workspaces containing SecurityEvent table having data. When I perform a union on the workspaces and then do the filtering, calculation, etc., the query consumes too much resour...
  • Ofer_Shezaf's avatar
    Aug 09, 2020

    mergene 

     

    first, search should not be more performant than union, so the difference may be elsewhere. 

     

    As to your question: I can't think of a way to avoid repeating the query, however, I can make it simpler:

     

    let Filter = (T:(EventID:int))
    {
    T | where EventID == 4624
    };
    union (workspace("a").SecurityEvent | invoke Filter()),(workspace("b").SecurityEvent | invoke Filter())

     

    While for a single condition it might not be much shorter, it is still more elegant, and will become much shorter if you have more conditions.

Resources