/graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No Quick Values On Message Field #3957

Closed
jalogisch opened this Issue Jun 30, 2017 · 1 comment

Comments

Assignees

@bernd bernd

Labels
feature triaged
Projects
None yet
Milestone
  2.4.0
5 participants
@jalogisch @billmurrin @florianvolle @lennartkoopmann @bernd
@jalogisch
Member

jalogisch commented Jun 30, 2017

Expected Behavior

It should be possible to disable quick values on certain fields.

Current Behavior

It might be easy for users to kill elasticsearch because they create a quick values widget from a certain time over a field like message or full_message.
That will then occupy elasticsearch for quite a while and make any other action impossible until the query is finished.

Possible Solution

Make the configuration option to disable quick values on some fields, messages and full_messages by default.

Context

The quick values widget gives, very fast, some nice insights - but the power that this has can kill the elasticsearch cluster. Even when you know that this can kill your cluster you might end up creation that widget for a search because you are inside of an investigation and need the information.

similar: #2039

@jalogisch jalogisch added the feature label Jul 3, 2017

@florianvolle florianvolle added the triaged label Jul 13, 2017

@billmurrin

This comment has been minimized.

Sign in to view
Contributor

billmurrin commented Aug 4, 2017

Hi @jalogisch - I think it would be nice if this was configurable per stream by an administrator or someone with edit permissions on the stream.

That will limit the ability of view-only users from conducting problematic queries on particular fields within a stream. A default value for the exclusion might include full_message and message.

I also think that this has broader application beyond the QuickValues widget.

@lennartkoopmann lennartkoopmann modified the milestones: 3.0.0, 2.4.0 Aug 22, 2017

@bernd bernd self-assigned this Sep 21, 2017

bernd added a commit that referenced this issue Sep 22, 2017

@bernd
Add config option to disable analysis features in the UI for certain … 
…fields

By default the "message" and "full_message" fields are disabled because
using analysis features like QuickValues on these can harm an
Elasticsearch cluster.

For now the config options *only* disable the UI elements in the web
interface to make sure regular users cannot run dangerous queries. When
using the REST API, a user can still run e.g. terms queries on these
fields.

Closes #3957
Loading status checks…
3f40b0e

@bernd bernd referenced this issue Sep 22, 2017

Merged

Add config option to disable analysis features in the UI for certain fields #4175

@wafflebot wafflebot bot added the in progress label Sep 22, 2017

@joschi joschi closed this in #4175 Sep 26, 2017

joschi added a commit that referenced this issue Sep 26, 2017

@bernd @joschi
Add config option to disable analysis features in the UI for certain … 
…fields (#4175)

By default the "message" and "full_message" fields are disabled because
using analysis features like QuickValues on these can harm an
Elasticsearch cluster.

For now the config options *only* disable the UI elements in the web
interface to make sure regular users cannot run dangerous queries. When
using the REST API, a user can still run e.g. terms queries on these
fields.

Closes #3957
Loading status checks…
244fc29

@wafflebot wafflebot bot removed the in progress label Sep 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment