When an event arrives to the database we split it on 2 parts: 


  1. plain text (pattern) in one part and 
  2. numbers and special symbols (values) in another part


The plain text is usually common for the vast majority of events while the part with numbers is the highly volatile part.

We have a reference with patterns and every event is referencing its pattern instead of storing it in its body.


The events search is produced against the reference of patterns. So to search for something like "mssql://aims011//aimsdf01" you type


mssql dccr IONBOD


Then the events are found in their XML with values and their pattern are merged back and shown on the search results page.