Blocking Queries

When necessary, LogScale can be configured to prevent queries from executing. There are many scenarios in which one might consider blocking a query or a pattern that matches many queries. For instance, a query pattern may use a large portion of the system's resources. Or a particular query is known to be used for malicious purposes (e.g., searching for secure secrets). Or it may be that a log line contains information that should never want searched.

Blocks can be added by defining the following conditions:

  • Based on a regular expression using the standard LogScale regular expression mechanics

  • Based on an exact matching query, explicitly matching the defined string.

  • Either against a specific Repository or all repositories.

Organization Query Administration Blocklist

Figure 17. Organization Query Administration Blocklist

The list of currently blocked queries is shown in the Blocklist page and includes the following information:

  • Pattern

    The string or regular expression of the query that is blocked.

  • Type

    Whether the block is based on an Exact Match or Regular Expression.

  • Expires

    When the block expires.

  • Repository or view

    The view(s) or repositories to which the block applies.

  • Enforcement level

    Whether the block applies only to specific views or repositories, or if it applies to the whole organization.

Removing or Unblocking an Existing Block

The Blocklist display shows the current list of configured query blocks for your organization.

To remove or unblock a previously blocked query:

  1. Go to the Blocklist page.

  2. Select the query that you want to unblock.

  3. Click Unblock button next to the query entry.

A message will be shown to say the block has been removed.