-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Investigate usage of prefix queries in Fleet setup #143430
Comments
Pinging @elastic/fleet (Team:Fleet) |
In trying to reproduce this I got a slightly different error:
Coming from this query:
|
Interesting, it's likely that should be fixed too 😄 |
That last error looks like it's due to querying a field that has |
@joshdover is this still relevant or should I close that issue? |
It may still be an issue, but there's been further discussion in elastic/elasticsearch#90898 (comment) which points to this ES setting being reconsidered overall. I think we should probably still look at the issue that Mark found above though, as that is likely a query and it affects Fleet setup which is performance sensitive (blocks Kibana startup and rendering of the Fleet UI). |
Has there been any movement on this? Currently the new Controls work well with Switching to prefix queries would greatly reduce our code complexity. The only risk is that this might prevent the Dashboard UI from loading when the Additionally, I've been unable to find any methods which can tell Kibana plugins the value of this setting - is it even possible to check whether or not it's on in order to change pieces of the UI? |
@ThomThomson I think your feedback here may be better suited on the ES issue to get the right eyes on this: elastic/elasticsearch#90898 |
Good point, I will copy my response over there. |
Kibana version: 8.4.3
Elasticsearch version: 8.4.3
Elasticsearch has a setting called
search.allow_expensive_queries
which when set tofalse
will disable several types of queries from being executed: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.htmlWe've had reports that when this setting is enabled, Fleet's setup process fails with an error like:
This will block the Integrations Server from starting up in ESS & ECE.
Fleet should continue to work when expensive queries are disabled. We should investigate where we're using prefix queries and see if we can either eliminate this usage pattern or use better mappings (eg.
wildcard
) to avoid this issue. First priority should be fixing the setup process, but more generally we should avoid this pattern entirely.I did a quick search and didn't find anything obvious in the setup code. One area to investigate further would be the usage of KQL/kuery. It's possible a KQL query like
field:"foo*"
produces a prefix query when transpiled to ES Query DSL.The text was updated successfully, but these errors were encountered: