queryQuery to expand into memoryLazyExpr (required)
keyThe name of the column to use as a key.string (required)
periodThe latest age of the cache.int64


Memoize a query into memory.

Memoizing a query means to cache the results of the query so they can be accessed quickly.

Consider the following query:

LET ProcessDetails(ProcessPid) = SELECT Name, Pid, Ppid FROM pslist()
  WHERE Pid=ProcessPid

This query retrieves the process details for any Pid such as the Name, Pid and parent Pid.

While this query works, imagine having to use it in a large query to resolve many different processes. Each time the function is called the pslist() plugin is run over all processes and the correct process is selected - this can lead to thousands of pslist() executions!

We can solve this by memoizing the results of the query - i.e. storing them in memory and retrieving a single row based on a key.

LET m <= memoize(query={
   SELECT str(str=Pid) AS Key, Name, Pid, Ppid FROM pslist()
}, key='Key')

The memoize() function looks like a dict() and when accessed will automatically run the query once and cache its rows. The Key column of the query is used as the key of the dict.

You can access the cache using the get() function or the . operator. If the key matches the entire row is retrieved:

SELECT get(item=m, field=str(str=Pid)).Name AS ProcessName
FROM source()
comments powered by Disqus