Alternatives to Inefficient Searches

There are ways to structure your queries so that they are less resource intensive and more efficient.

The following table lists queries that are expensive in terms of resources and time, and offers alternatives to each.

Resource Intensive Query	Appropriate Use-cases	Alternatives
Free text search	An initial search to start an investigation, when the user does not yet know what parsed fields to focus on. Exploration, searching without a specific intent or criteria. An uncommon query that is not worth changing parsers for.	Use a parsed field if possible. If parsed field is not possible, consider defining a customer parser and/or custom field.
Free text search using Regex or Wildcards	An initial search to start an investigation, when the user does not yet know what parsed fields to focus on. Searching without a specific intent, but you have specific criteria. An uncommon query that is not worth changing parsers for.	Use a parsed field if possible. If parsed field is not possible, consider defining a customer parser and/or custom field.
Using Regex or Wildcards on a field search.	Searching with criteria more specific than what current parsers are providing. An uncommon query that is not worth changing parsers for.	Tune parsers if the parsed values include unnecessary data.
Using Regex or Wildcards on an IP address field		CIDR notation or IP Address Range.
Case insensitive search	Want different, but similar results. Working around lack of normalization of values.	Case sensitive is faster and can return more precise results.
A query with a long list of OR operators		Use a context table. Use a Regex or wildcard pattern.
Queries using the NOT operator		Use a more precise inclusive pattern instead of excluding values.

Exabeam SearchExabeam Search Guide