Improve the Performance of Dashboards and Reports
You can improve the performance of your reports, dashboards, and worksheets by following these best practices.
-
Use
startswithorendswithInstead ofcontainsto Create Conditions -
Put the Most Expensive Conditions Towards the Top of your Building Blocks Hierarchy
-
Use the Flyover Option for Dashboards with Multiple Charts and Tables
Use Raw Database Fields Instead of Defined Functions Fields
Where possible, use raw database fields over defined function fields to speed up the search process by limiting the number of events searched.
icons represent the defined function fields. 
icons represent the raw database fields.
For example, use: [Events.deviceAddressBin][is not][null] instead of [Device Address][is not][null].
Use Normalized Event Time Instead of the Time Field
Use normalizeEventTime instead of the field from the logical model. Because the field requires extra calculations, whereas normalizeEventTime is a raw field, your query will run more quickly. For more information, see Use Raw Database Fields instead of Defined Functions Fields.
Use the Integer Variant Instead of the String Variant
When data can be represented in a string format or an integer format, use the integer format of the data field because strings are defined functions and integers are raw database fields. For more information, see Use Raw Database Fields instead of Defined Functions Fields.
For example, use: [Events.agentSeverity][is][one of][3,4] instead of [Events.Agent Severity String][is][one of][High,Very-High].
Display Host Names Instead of IP Addresses on Charts
Where possible, use host names because host names are represented as raw fields in the database. IP addresses represented as database function v6_ntoa(Events1_O.destinationAddressBin) AS Target Address will be calculated for every selected event.
Use 'startswith' or 'endswith' instead of 'contains'
To create conditions, use startswith or endswith instead of contains, when possible. This narrows your search, and your queries will process more quickly.
For example: [Events.categoryTechnique][is][starting with][/Traffic Anomaly].
Put the Most Expensive Conditions at the Bottom of Your Worksheets
When you have conditions that take up a lot of operation space, put them at the bottom of your worksheet. This will limit the quantity of events that the expensive condition must search, and thus speed up your query.
Put the Most Expensive Conditions Towards the Top of Your Building Blocks Hierarchy
For advanced users.
When you need to display expensive conditions on your dashboard, you can move it up in the hierarchy. This improves your dashboard's performance because those conditions will not run against every event.
Put Parameters at the Top of your Worksheets
If you create a dashboard or report with parameters (for example, data for a specific host), arrange the worksheet conditions so that the parameter goes before the complex conditions. This will limit the events that the complex conditions search and speed up your query.
For example:
[Events.destinationHostNamelowerCase][is][contains][$(hostname(equal_or_like))]
[and]
[Events.Time][is][between][$start_time.$(end_time)]
Use the Flyover Option for Dashboards with Multiple Charts and Tables
When you have a dashboard with a table, consider using the flyover option instead of using the charts and tables on one screen. If you designed the dashboard with the flyover option, the dashboard will show one chart. When you click on a specific target, a flyover table will show the information for this specific target. Right-click the dashboard you want to use the flyover option.
1. Select .
2. Under , click the box or boxes for the additional chart or table you want to appear, and then click .
Additionally, when you again pause the mouse over the specific target, the flyover information appears more quickly because it is drawn from the cache.