No Quick Values On Message Field #3957
Closed
Comments
Hi @jalogisch - I think it would be nice if this was configurable per stream by an administrator or someone with edit permissions on the stream. That will limit the ability of view-only users from conducting problematic queries on particular fields within a stream. A default value for the exclusion might include full_message and message. I also think that this has broader application beyond the QuickValues widget. |
bernd
added a commit
that referenced
this issue
Sep 22, 2017
…fields By default the "message" and "full_message" fields are disabled because using analysis features like QuickValues on these can harm an Elasticsearch cluster. For now the config options *only* disable the UI elements in the web interface to make sure regular users cannot run dangerous queries. When using the REST API, a user can still run e.g. terms queries on these fields. Closes #3957
joschi
added a commit
that referenced
this issue
Sep 26, 2017
…fields (#4175) By default the "message" and "full_message" fields are disabled because using analysis features like QuickValues on these can harm an Elasticsearch cluster. For now the config options *only* disable the UI elements in the web interface to make sure regular users cannot run dangerous queries. When using the REST API, a user can still run e.g. terms queries on these fields. Closes #3957
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
It should be possible to disable quick values on certain fields.
Current Behavior
It might be easy for users to kill elasticsearch because they create a quick values widget from a certain time over a field like message or full_message.
That will then occupy elasticsearch for quite a while and make any other action impossible until the query is finished.
Possible Solution
Make the configuration option to disable quick values on some fields, messages and full_messages by default.
Context
The quick values widget gives, very fast, some nice insights - but the power that this has can kill the elasticsearch cluster. Even when you know that this can kill your cluster you might end up creation that widget for a search because you are inside of an investigation and need the information.
similar: #2039
The text was updated successfully, but these errors were encountered: