The Query Duration panel presents queries that take longer than a second to complete.
At a glance, you can see which queries are taking a long time to complete, and take action to improve query structures and efficiency.
You can filter the displayed queries in the following ways:
All – Displays all queries that take longer than a second to complete.
UI – These slow queries are generated at the user interface.
Watchlist – Automated queries. Watchlist queries are created by Carbon Black EDR users and run every 10 minutes.
Feed Report – Automated queries that the threat research team generates. You cannot edit the queries, but you can ignore them.
API – These queries are run via an API.
A user or script can run UI- or API-generated queries many times. If any query takes long enough to appear in the Query Duration panel, multiple executions of that query add to the overall effect.
For queries that are too long to display in the panel, you can hover over the query to cause the entire query to display in the hover text. You can also click Copy to copy a query. This is useful for closely examining a complex slow-running query, and for editing a query to improve performance.