Skip to main content
Sumo Logic

Why are Scheduled Views Faster?

Scheduled View queries perform many calculations ahead of time, so that only the raw results are left before ingestion.

For example, the following Scheduled View example query actually contains 1,653GB of data over 30 days

The resulting Scheduled View contains only 1.79GB of data over 30 days

That's only 0.001 of the original data, a 1,000x difference!

_view=explain_plans explainJsonPlan.ett stream_language.util.EttPlansCache "\"callerModule\" : \"service\""
| parse "explainJsonPlan.ETT *" as explain_plan
| json field=explain_plan "customerId", "executionDt", "rangeDt", "ett", "inputMessageCt", "messageCt", "callerModule", "query", "numViews", "isStreamScaledAggregate", "parseRegexTime", "indexCt", "indexCtAfterBloomfilter", "isAggregateQuery", "sessionId", "isInteractiveQuery", "exitCode", "statusMessage", "executionStartTime", "queryStartTime" , "queryEndTime" , "slowdownReason", "operatorRowCount"
| where callerModule="service"
| parse "[auth=User:*:" as user
| parse "anchorParse, rowCount: *, time: *)" as parse_anchor_rowct, parse_anchor_millisecs nodrop
| parse "parseRegex, rowCount: *, time: *)" as parse_regex_rowct, parse_regex_millisecs nodrop
| parse "(MatchSignaturesOperator, rowCount: *, time: *)" as summarize_rowct, summarize_millisecs nodrop
| parse "\"bloomFilterResult\" : {\"OutOfTimerange\" : *, \"Maybe\" : *, \"DontKnow\" : *, \"No\" : *, \"NotReturned\" : *}," as bf_outoftimerange, bf_maybe, bf_dontknow, bf_no, bf_notreturned nodrop
| parse "\"bloomFilterResult\" : [MayBe: *, DontKnow: *, notReturned: *, no: *, outOfTimeRange: *]" as bf_maybe, bf_dontknow, bf_notreturned, bf_no, bf_outoftimerange nodrop
| if (parse_anchor_millisecs = "", 0, parse_anchor_millisecs) as parse_anchor_millisecs
| if (parse_regex_millisecs = "", 0, parse_regex_millisecs) as parse_regex_millisecs
| if (summarize_millisecs = "", 0, summarize_millisecs) as summarize_millisecs
| lookup org_name from /shared/aditya/config/organizations on org_id = customerId
| parse_anchor_millisecs/1000 as parse_anchor_secs
| parse_regex_millisecs/1000 as parse_regex_secs
| parse_anchor_secs + parse_regex_secs as parse_secs
| rangeDt/executionDt as speedup
| round(speedup)
| executionDt/ett as slowdown
| executiondt/1000 as duration
| round(duration) as duration_secs | rangeDt / 60000 as rangeMinutes
| indexCtAfterBloomfilter / rangeMinutes as ispm
| if (isNull(ispm), 0, ispm) as ispm
| indexCt-indexCtAfterBloomfilter as bloomfilter_diff
| bloomfilter_diff/indexCt*100 as index_filter_pct
| round(index_filter_pct)
| rangedt/1000/60 as range_mins
| range_mins/60 as range_hours
| range_hours/24 as range_days
| formatDate(fromMillis(executionstarttime),"yyyy/MM/dd HH:mm:ss") as start_time
| formatDate(fromMillis(queryStartTime),"MM/dd/yyyy HH:mm:ss") as range_start
| formatDate(fromMillis(queryEndTime),"MM/dd/yyyy HH:mm:ss") as range_end
| concat(range_start, " ", range_end) as time_range
| callermodule as origin
| indexCt as initial_indices
| indexCtAfterBloomfilter as indices_scanned
| inputmessagect as msgs_scanned
| isAggregateQuery as aggregate
| messageCt as msgs_returned
| numViews as partitions_scanned
| customerId as orgid
| format("%.2f",slowdown) as slowdown
| format("%.2f",range_days) as range_days
| format("%.2f",range_hours) as range_hours
| format("%.0f",range_mins) as range_mins
| format("%.0f",parse_secs) as parse_secs
| format("%.0f",ispm) as ispm
| num(range_days)
| num(ispm)
| num(partitions_scanned)
| num(slowdown)
| num(exitcode)
| num(initial_indices)
| num(parse_secs)
| num(indices_scanned)
| num(msgs_scanned)
| num(msgs_returned)
| num(range_hours)
| num(range_mins)
| num(bf_outoftimerange)
| num(bf_maybe)
| num(bf_dontknow)
| num(bf_no)
| num(bf_notreturned)
| timeslice 1m
| count by _timeslice, sessionid, org_name, origin, duration_secs, parse_secs, exitcode, msgs_scanned, msgs_returned, partitions_scanned, initial_indices, indices_scanned, index_filter_pct, ispm, query, range_days, range_hours, range_mins, slowdown, speedup, start_time, statusmessage, user, aggregate, slowdownReason, time_range, bf_maybe, bf_dontknow, bf_notreturned, bf_no, bf_outoftimerange, summarize_millisecs, explain_plan, orgid