When necessary, Humio can be configured to prevent matching queries from executing. There are many scenarios where one might consider blacklisting a query or a pattern that matches many queries
Here’s how you blacklist a query
To blacklist a query you must have
root authorization. You will find
the Query Blacklist section in the Administration page. There you can add a pattern that is
either an exact match for the queries you’d like to match or a regular expression. Simply
choose one of those options, and add your pattern text. To restrict the blacklisted pattern
to a specific repository, add it in the “Restrict to Repo/View” field. Then
Queries currently running that match the new pattern are stopped immediately and prevented from running until this blacklist entity is removed by an administrator.
To remove the blacklisted query pattern simply select it and click “Unblock”.
Queries are the primary interface to data in Humio and so it is important that users are not
confused when a query they submit happens to be blacklisted. Say for instance that we added
/admin-[0-9]?/ to the global blacklist and then a user submits a query for
admin-1. We present a very detailed message in place of event data:
Failed to execute the query There was an error while trying to start the query: The query has been blacklisted in Humio by an administrator. This is probably due to the query being very resource demanding. Consider rewriting the query to perform better. The matched blacklist entry is: /admin-[0-9]/
This helps the user know what has happened and how future queries my be impacted. If they are concerned with this blacklist entry they can pass along the pattern to an administrator, making it easy to locate in the blacklisted queries list.