I'm trying to get my head around the alternatives, but can't see how I could get rid of the `join` in the following query:
index="docverificationengine" "Issuing country does not match WR records for Sender" | rex field=_raw "records for Sender \[(?P[^\]]+)\]" | table senderId | join senderId [ search index="senderverification" Verification "DocumentType\\\":2" | rex field=_raw "queue: {\\\\\"SenderId\\\\\":(?\d+)," | table senderId]
I have to admit though, that I don't have a clear concept of what would be a good performance. It takes around 4.5 seconds to run with a set of less than 2k in the "docverificationengine" index but over 300k in the "senderverification" one
↧