When necessary, LogScale can be configured to prevent queries from executing. There are many scenarios in which one might consider blocking a query or a pattern that matches many queries. For instance, a query pattern may use a large portion of the system's resources. Or a particular query is known to be used for malicious purposes (e.g., searching for secure secrets). Or it may be that a log line contains information that should never want searched.
Blocks can be added by defining the following conditions:
Based on a regular expression using the standard LogScale regular expression mechanics
Based on an exact matching query, explicitly matching the defined string.
Either against a specific Repository or all repositories.
Figure 21. Organization Query Administration Blocklist
The list of currently blocked queries is shown in the
page and includes the following information:
The string or regular expression of the query that is blocked.
Whether the block is based on an
When the block expires.
Repository or view
The view(s) or repositories to which the block applies.
Whether the block applies only to specific views or repositories, or if it applies to the whole organization.
Removing or Unblocking an Existing Block
display shows the current list of configured query blocks for your
To remove or unblock a previously blocked query:
Go to the
Select the query that you want to unblock.
Clickbutton next to the query entry.
A message will be shown to say the block has been removed.