I have some general questions about designing optimal rules. To my understanding there are three ways of constructing exclusions/filtering:
- Directly in the query with "NOT" statements
- Add as a filter
- Using rule exceptions
With regards to performance, which one is the most optimal/best, that consumes the least amount of computer resources?
Furthermore, if a KQL has a "NOT" statement in it, does the order matter in the query? Is it in anyway beneficial to state the "NOT" statements at the very beginning of a query rather than at the end?
In addition, which language is to prefer with regards to performance (KQL,DSL,ESQL, Lucene)?
Thanks!