We have observed in our stack that a lot of the users are making queries without specifying a single indexed field. And we would like to soft-warn our users when they do so.
What would be the best way to implement something like that?
I thought of a few options -
Any recommendations ?
How are your users making queries? Are they using Kibana? Which version of the Elastic stack are you using?
without specifying a single indexed field.
I'm a bit confused by that statement, can you provide an example?
The users are using kibana to make the queries. We are on 7.10
An example of a query is searching for a UUID or GUID ... without adding any filter.
Hi @vibgy Welcome to the Community.
Have you thought about just setting the following setting found here
By Default when this is not specified the query searches every field.. and that is usually not a good thing, but you can set a single or a couple fields to search by default like your UUID Field
index.query.default_field
(string or array of strings) Wildcard ( * ) patterns matching one or more fields. The following query types search these matching fields by default:
Defaults to * , which matches all fields eligible for term-level queries, excluding metadata fields.
Well, we do not want to restrict the search of a UUID to specific fields. That would be problematic for teams trying to debug a particular transaction but no one knows exactly where that particular UUID shows up.
We are just looking for a way to warm them when they do not specify even one filter... like k8s_namespace or app or k8s_container .. In absence of this filter, ES searches all the logs and these become very expensive queries.
I don't think there's anything built into Kibana that does what you're looking for.
What I have seen some other users do is keep the original log message in example the message field that is of type text, so all the content is in there and then the default search searches that as a text field.
But no I don't think there's anything built into Kibana to warn when a field is not specfied
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.