Blacklisting Queries

When necessary, Humio can be configured to prevent matching queries from executing. There are many scenarios where one might consider blacklisting a query or a pattern that matches many queries

  • A query pattern is known to use a large portion of the system’s resources
  • A query is known to be used for malicious purposes (such as searching for secure secrets)
  • A log line contains information that should never be searched for

Here’s how you blacklist a query


To blacklist a query you must have root authorization. You will find the Query Blacklist section in the Administration page. There you can add a pattern that is either an exact match for the queries you’d like to match or a regular expression. Simply choose one of those options, and add your pattern text. To restrict the blacklisted pattern to a specific repository, add it in the “Restrict to Repo/View” field. Then click “Create”.

Queries currently running that match the new pattern are stopped immediately and prevented from running until this blacklist entity is removed by an administrator.

To remove the blacklisted query pattern simply select it and click “Unblock”.

How will you know your query is blacklisted?

Queries are the primary interface to data in Humio and so it is important that you are not confused when a query you submit happens to be blacklisted. Say for instance that we added the pattern /admin-[0-9]?/ to the global blacklist and then you submit a query for admin-1. We present a very detailed message in place of event data:

Failed to execute the query
There was an error while trying to start the query:

The query has been blacklisted in Humio by an administrator. This is probably due to the query being very resource demanding. Consider rewriting the query to perform better.  The matched blacklist entry is: /admin-[0-9]/

This helps you know what has happened and how future queries my be impacted. If you are concerned with this blacklist entry, you may pass along the pattern to an administrator, making it easy to locate in the blacklisted queries list.