I have been working on making a python program to run a query looking at events where a node went down. From here I am collecting the nodes which are down and looking at all net flows across the node. I want to narrow this down to all net flows across the node, over port 80, and within a certain time range of the node going down, maybe 20 minutes. The problem I am having is that when testing these queries in SWQL Studio, I am getting extremely long query times and continue receiving the error "Execution Timeout Expired." I am not sure what is causing this and it still happens when I only query for the top 1 result like this:
SELECT TOP 1 ApplicationID, DestinationHostname, DestinationIP, Port,SourceHostname, SourceIP, TimeStamp, Description, TotalBytes, f.Node.Caption AS Node
FROM Orion.Netflow.Flows f
WHERE Port = '80'
If I take out a the "DestinationHostname", "SourceHostname", and Node selects I am able to query for thousands of rows in fractions of a second.
Any insight as to what might be causing these queries to take so long and what steps I could try next?