Performance Problem with Filter

General discussions here

Google Ads


Performance Problem with Filter

Postby MacBest » Wed Aug 17, 2016 10:35 am

Hi there,

I've found a strange problem when searching via LogAnalyzer (4.1.3)

Let me try to explain what I want to achieve...
I need to search for log entries from 2 devices. So I have to do some "OR" stuff. From these devices I need to filter for special entries (often IP adresses !)

So I tried some searches:

1. Searchin for a "string" in both fromhosts:

datelastx:1 source:=asa5520-01-inside source:=asa5520-02-inside FQDN

Code: Select all
this leads to the following sql statement:
SELECT id, devicereportedtime, facility, priority, fromhost, syslogtag, processid, infounitid, message
FROM `SystemEvents`
WHERE devicereportedtime > '2016-08-16 16:07:22'
AND ( fromhost = 'asa5520-01-inside' OR fromhost = 'asa5520-02-inside' ) AND ( message LIKE '%FQDN%' )
ORDER BY id DESC LIMIT 100


and the response time is quite good.

2.
Now comes the strange stuff:
Searching for an IP in both fromhosts:

datelastx:1 source:=asa5520-01-inside source:=asa5520-02-inside 192.168

LogStream|SetFilter: SetFilter combined = 'datelastx:1 source:=asa5520-01-inside source:=asa5520-02-inside 192.168'.

Debug
LogStreamDB|CreateMainSQLQuery: Created SQL Query:
SELECT id, devicereportedtime, facility, priority, fromhost, syslogtag, processid, infounitid, message
FROM `SystemEvents` WHERE devicereportedtime > '2016-08-16 16:09:26'
AND ( fromhost = 'asa5520-01-inside' OR fromhost = 'asa5520-02-inside' )
AND ( message LIKE '%192.168%' ) ORDER BY id DESC LIMIT 100

Debug
LogStreamDB|CreateMainSQLQuery: Created SQL Query:
SELECT id, devicereportedtime, facility, priority, fromhost, syslogtag, processid, infounitid, message
FROM `SystemEvents` WHERE devicereportedtime > '2016-08-16 16:09:26'
AND ( fromhost = 'asa5520-01-inside' OR fromhost = 'asa5520-02-inside' )
AND ( message LIKE '%192.168%' )
AND id <= 14506724 ORDER BY id DESC LIMIT 100


As you can see these fires 2 queries to the mysql DB.
The first one is ok but the second one with " id <= 14506724 " take a long time.
Why does this happen?

So I tried a workaround with "message:~":

datelastx:1 source:=asa5520-01-inside source:=asa5520-02-inside message:~192.168


Code: Select all
SELECT id, devicereportedtime, facility, priority, fromhost, syslogtag, processid, infounitid, message
FROM `SystemEvents`
WHERE devicereportedtime > '2016-08-16 16:04:47'
AND ( fromhost = 'asa5520-01-inside' OR fromhost = 'asa5520-02-inside' OR fromhost REGEXP '192.168' )
ORDER BY id DESC LIMIT 100


But as you can see the generated query is totally wrong now.



Any help welcome

Greetings from sunny Germany

 Jürgen
MacBest
New
 
Posts: 1
Joined: Wed Aug 17, 2016 9:59 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to General

Who is online

Users browsing this forum: No registered users and 1 guest

cron