Where clause syntax best practices
Maintaining the rule engine performance
To avoid slowing the performance of the rule engine, try to specify a selector that refers to a specific event class. It takes the cell less processing time to search a specific class than it does a generic class. Also, try to avoid performance-intensive where clauses and complex queries in the Using clause.
For example, using a match_regex() call can cause performance problems. Instead, use an equals, contains, matches, has_prefix, or has_suffix clause.
The following line:
might appear equivalent to
However, they are not equivalent. The rule engine maintains an inheritance table that enables it to be extremely efficient at manipulating classes. In the first syntax example, the rule engine literally must check to see whether the class name is the string 'APPLICATION_EVENT'. This literal comparison does not take advantage of the inheritance mechanism, and places a much heavier demand on the performance of the rule engine than the syntax in the second example. Using class comparisons in a where clause does not use the inheritance table optimization and results in performance degradation of the rule engine.
Equivalent syntax and backward compatibility
The following line can also be written as shown in the figure 1:
However, the following is permitted only for backward compatibility with the first initial releases of the MRL.
Syntax shortcut
In a where clause slot: is a shortcut for $EV.slot.
$EV.slot: is syntactically incorrect.