filterIndex compared to filter

To illustrate the difference between filterIndex and filter, consider the following example queries. Assume that you have created a field index for IPaddress, for four of your log groups, but not for a fifth log group. The following query using filterIndex will skip scanning the log group that doesn't have the field indexed. For each indexed log group, it attempts to scan only log events that have the indexed field, and it also returns only results from after the field index was created.


fields @timestamp, @message 
| filterIndex IPaddress = "198.51.100.0" 
| limit 20

In contrast, if you use filter instead of filterIndex for a query of the same five log groups, the query will attempt to scan not only the log events that contain the value in the indexed log groups, but will also scan the fifth log group that isn't indexed, and it will scan every log event in that fifth log group.


fields @timestamp, @message 
| filter IPaddress = "198.51.100.0" 
| limit 20

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

filterIndex

SOURCE