Overview
QueryTable implementation that works with the JEXL grammar. This QueryTable uses the metadata, global index, and partitioned table to return results based on the query. Example queries: Single Term Query 'foo' - looks in global index for foo, and if any entries are found, then the query is rewritten to be field1 == 'foo' or field2 == 'foo', etc. This is then passed down the optimized query path which uses the intersecting iterators on the shard table. Boolean expression field == 'foo' - For fielded queries, those that contain a field, an operator, and a literal (string or number), the query is parsed and the set of eventFields in the query that are indexed is determined by querying the metadata table. Depending on the conjunctions in the query (or, and, not) and the eventFields that are indexed, the query may be sent down the optimized path or the full scan path. We are not supporting all of the operators that JEXL supports at this time. We are supporting the following operators: ==, !=, >, ≥, <, ≤, =~, and !~ Custom functions can be created and registered with the Jexl engine. The functions can be used in the queries in conjunction with other supported operators. A sample function has been created, called between, and is bound to the 'f' namespace. An example using this function is : "f:between(LATITUDE,60.0, 70.0)"Constraints on Query Structure
Queries that are sent to this class need to be formatted such that there is a space on either side of the operator. We are rewriting the query in some cases and the current implementation is expecting a space on either side of the operator. Users should also be aware that the literals used in the query need to match the data in the table. If an error occurs in the evaluation we are skipping the event.Notes on Optimization
Queries that meet any of the following criteria will perform a full scan of the events in the partitioned table: 1. An 'or' conjunction exists in the query but not all of the terms are indexed. 2. No indexed terms exist in the query 3. An unsupported operator exists in the query
|
|