Module 7: Best Practices Flashcards
1
Q
Best practices (5)
A
Limit searches by time (most recent or in a window)
More precise searches (similar to longest prefix)
Inclusion better than exclusion (and better than not)
Apply filtering
Use multiple indexes to segregate data
2
Q
Time abbreviations
A
s: seconds
m: minutes
h: hours
d: days
w: weeks
mon: month
y: year
3
Q
Time abbreviation @ symbol
A
rounds down to nearest time unit
-30m@h for 9:37 gives you 9:00-937
4
Q
Time search strings (2)
A
Earliest
Latest
5
Q
Most efficient way to filter events
A
By time