Query Quotas

Security Requirements and Controls

root access permission

Query quotas can be used in order to limit the amount of CPU, memory, and I/O resources any one user can use when searching. Usage is tracked continuously as queries are executed. Whenever a user exceeds their quota, the query is stopped and the user is notified. As long as the quota is exceeded, any new queries will be rejected as soon as they are initiated.

Quotas can be specified in a number of different time intervals in order to allow the Cluster Administrator to protect against both short-term accidental heavy queries and longer term general heavy queries.

Quota Types

It's possible to specify three different types of quotas based on how Cluster Administrators want to limit users: static cost points, live cost points, and query counts.

Cost Points

Cost points are the unit LogScale uses to schedule, limit, and monitor queries. A cost point is a combination of both the memory and CPU consumption that a query has, and can be used as measurement of how expensive a query is overall.

Cost points are divided into static and live, reflecting the nature of the query. If the query only concerns itself with existing historic data, its static cost point measures the amount of cost points spent on processing historic data. The cost points for a live query include, in addition to the static cost points, measurement of how expensive it is to run live updates for the query.

Query Count

This quota can be used to limit the number of queries that can be executed within each time interval. This can be useful if you find that users are executing too many queries, as there is an inherent cost to starting and coordinating a query that isn't included in cost points.

Specifying Quotas

To configure query quotas, you currently must have root access permission.

You will find the query quota settings page under Administration → Query. There, you can configure default settings or user overrides.

Default Settings

Default settings apply to all users of the LogScale cluster.

User Override

Query quotas can be specified on a per user basis by using the User Override tab in the Query Quota UI. Overrides are done per quota type and time interval which means that any default quotas specified on any other combination of quota type and time interval still apply to the user. If you wish to remove a default quota restriction entirely for a particular user you can do a user override for that user and configure the override to be an unlimited quota.

Falcon LogScale Self-Hosted 1.132.0-1.137.0 (Preview)

Self-Hosted Overview

Installing LogScale

Self-Hosted Admin.

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & Permissions

Cluster Management

Configuration Settings

Ingesting Data

LogScale Configuration Parameters

LogScale URLs & Endpoints

Limits & Standards

Data Analysis 1.132.0-1.137.0

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts