Database Reference
In-Depth Information
Finding all events for a particular host/date
Expanding on our “security audit” example, suppose we isolated the incident to a particular
server and wanted to look at the activity for only a single server on a particular date. In this
case, we'd use a query that resembles the following:
>>>
>>>
q_events
=
db
.
events
.
find
({
...
...
'host'
:
'127.0.0.1'
,
...
'time'
: {
'$gte'
:
datetime
(
2000
,
10
,
10
),
'$lt'
:
datetime
(
2000
,
10
,
11
)}
...
...
})
The indexes you use may have significant implications for the performance of these kinds of
queries. For instance, you
can
create a compound index on the time-host field pair (noting that
order matters), using the following command:
>>>
>>>
db
.
events
.
ensure_index
([(
'time'
,
1
), (
'host'
,
1
)])
To analyze the performance for the above query using this index, MongoDB provides the
ex-
plain()
method. In Python for instance, we can execute
q_events.explain()
in a console.
This will return something that resembles:
{
..
u'cursor'
:
u'BtreeCursor time_1_host_1'
,
u'indexBounds'
: {
u'host'
: [[
u'127.0.0.1'
,
u'127.0.0.1'
]],
u'time'
: [
[
datetime
.
datetime
(
2000
,
10
,
10
,
0
,
0
),
datetime
.
datetime
(
2000
,
10
,
11
,
0
,
0
)]]
},
...
u'millis'
:
4
,
u'n'
:
11
,
u'nscanned'
:
1296
,
u'nscannedObjects'
:
11
,
...
}
This query had to scan 1,296 items from the index to return 11 objects in 4 milliseconds. Con-
versely, you can test a different compound index with the
host
field first, followed by the
time
field. Create this index using the following operation:
