Kibana 8.7 expensive queries

Elastic Stack Kibana
1

Hello,

after upgrading Elastic and Kibana to 8.7 i get reports from users that they are seeing this:
image
Combined with missing values in the control. If they type the value they are missing in the search field of the control, it shows up.

So i never set anything related to expensive queries. Up until now i did not know this setting exists and prior to the 8.7 Update, this has never happened.
Initially i did not notice it, because this only happens for users. With the superuser account, this warning is never shown.

So i did a quick research and checked

GET /_cluster/settings

Which resulted in

{
  "persistent" : { },
  "transient" : { }
  }
}

So

"search.allow_expensive_queries"

was neither true nor false.

I used

PUT _cluster/settings
{
  "transient": {
    "search.allow_expensive_queries": "true"
  }
}

and now

GET /_cluster/settings

returns

{
  "persistent": {},
  "transient": {
    "search": {
      "allow_expensive_queries": "true"
    }
  }
}

but i still get the warning and missing values with test accounts, that are not the superuser.

How do i fix this and why did it happen in the first place? This is another problem i have with 8.7. This release looks really unfinished and untested, which is usually not the case with elastic.
(Disable exists query in Kibana 8.7, Kibana 8.7 Control Sort)

Edit: This is the case for all controls for all dashboards. The fields are just normal keyword or number fields. No scripted or runtimefields or anything that would justify a problem with expensive queries.

Edit2: The problem is resolved for a user if he is given the "monitor" (or manage or all as they are supersets) cluster privilege. But what has that to do with any of this?

Best regards
Jonas

2

2 posts were split to a new topic: Control visualisation issues

3

Hi @Jonas_S,
That sounds frustrating and glad you figured out the monitor permission. I learned something new with that, so thank you. While I can't speak to the issue you are seeing I did want to share this command which will let you see the default values of your cluster. Helpful in these types of situations going forward:

GET _cluster/settings?include_defaults=true
1 Like
6

@Jonas_S In 8.7, the controls use expensive queries for the "load more" mechanism that allows the user to scroll down to see more options. The controls should still work correctly with that setting off, but by default only 10 options will be shown, and the user will need to type to search for others. This was the case in all versions before 8.7 - the behaviour should be exactly the same.

Generally, users should not run into this warning as the allow_expensive_queries setting should be on by default, and very few clusters turn it off. Did you run this command to check for the default value?

GET _cluster/settings?include_defaults=true

I'm not sure if I can help with the strange overlap you're seeing here with the monitor privilege and allow_expensive_queries so I've reached out to another team for a hand. Hopefully they will get back to me soon.

EDIT - it looks like I'm actually able to reproduce this issue if I give a user read only permissions to an index. My best guess is that you need the monitor permission to check if the allow_expensive_queries setting is on or off. I will keep researching this and get back to you. Likely we will need to change the code to fix this, so thank you for bringing it to our attention!

1 Like
7

Update: I have opened this issue to track the problem that monitor is required to use the expensive controls functionality and I have created a PR that will fix it.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.