Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
1
Replies

Custom Columns question

clausonna
Level 3
Level 3

‎03-23-2009 10:58 AM

I run a LOT of "All Matching Sessions, Custom Column" queries, since they let me more quickly see the Host Pairs involved with an incident (and/or to see ALL of the host pairs matching certain criteria)

Anyways, there are two options for having a column on Destination Address. The first is the Dest. Address all by itself, so if you wanted Port and/or Protocol you'd have to explicitly request them. The other option is a single field "Destination Address, Port, and Protocol" (e.g. the results are grouped together.)

My questions is: which field type is more efficient from a MARS SQL query perspective? In other words, is it faster to split the fields out (e.g. one field for Destination Address, another field for Destination Port) or is it faster to have them a single, combined field.

Labels:
0 Helpful
1 Reply 1

Farrukh Haroon
VIP Alumni
VIP Alumni

‎03-23-2009 01:04 PM

Why don't you try both of them out (for the same traffic flows/time period) and then compare the query response times?

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents