Learn about best practices for streamlining XQL queries.
Cortex Cloud includes built-in mechanisms for mitigating long-running queries, such as default limits for the maximum number of allowed issues. The following suggestions can help you to streamline your queries:
Add a smaller limit to queries by using a
limitstage.The default results for any query is a maximum of 1,000,000 results, when no limit is explicitly stated in the query. Queries based on XQL query entities are limited to 10,000 results. Adding a smaller limit can greatly reduce the response time.
Example 53.dataset = microsoft_windows_raw | fields *host* | limit 100
Use a small time frame for queries by specifying the specific date and time in the Timeframe, such as selecting Relative time and defining Last 30 Minutes, instead of picking the nearest larger option available or defining an extended time period.
Use filters that exclude data, along with other possible filters.
Select the specific fields that you would like to see in the query results.