Where clause syntax best practices
Maintaining the rule engine performance
To avoid slowing the performance of the rule engine, try to specify a selector that refers to a specific event class. It takes the cell less processing time to search a specific class than it does a generic class. Also, try to avoid performance-intensive where
clauses and complex queries in the Using
clause.
For example, using a match_regex()
call can cause performance problems. Instead, use an equals
, contains
, matches
, has_prefix
, or has_suffix
clause.
The following line:
EVENT($EV) where [$EV.CLASS == 'APPLICATION_EVENT']
might appear equivalent to
APPLICATION_EVENT ($EV)
However, they are not equivalent. The rule engine maintains an inheritance table that enables it to be extremely efficient at manipulating classes. In the first syntax example, the rule engine literally must check to see whether the class name is the string 'APPLICATION_EVENT
'. This literal comparison does not take advantage of the inheritance mechanism, and places a much heavier demand on the performance of the rule engine than the syntax in the second example. Using class comparisons in a where
clause does not use the inheritance table optimization and results in performance degradation of the rule engine.
Equivalent syntax and backward compatibility
The following line can also be written as shown in the figure 1:
$APEV.mc_host equals 'thathost'
mc_host:equals thathost
However, the following is permitted only for backward compatibility with the first initial releases of the MRL.
$EV.mc_host:equals 'thathost'
Syntax shortcut
In a where
clause slot:
is a shortcut for $EV.slot
.
$EV.slot:
is syntactically incorrect.
Comments
Log in or register to comment.