Blocking Queries

When necessary, Humio can be configured to prevent matching queries from executing. There are many scenarios in which one might consider blocking a query or a pattern that matches many queries. For instance, a query pattern may use a large portion of the system’s resources. Or a particular query is known to be used for malicious purposes (e.g., searching for secure secrets). Or it may be that a log line contains information that should never want searched.

Here’s how you can block a query by adding it to the blocklist.

Adding a Query to the Blocklist

To add a query to the blocklist you must have root authorization. You will find the Query Blocklist section in the Administration page in the UI. There you can add a pattern that is either an exact match for the queries you’d like to match or a regular expression. Simply choose one of those options, and add your pattern text. To restrict the blocked pattern to a specific repository, add it in the Restrict to Repo/View field. Then click Create.

Currently running queries that match the new pattern are stopped immediately and prevented from running until this entity on the blocklist is removed by an administrator.

To remove the blocked query pattern from the blocklist simply select it and click Unblock.

Indications that a Query is Blocked

Queries are the primary interface to data in Humio and so it is important that you are not confused when a query you submit happens to be blocked. Say for instance that we added the pattern /admin-[0-9]?/ to the global blocklist and then you submit a query for admin-1. We present a very detailed message in place of event data:

ini
Failed to execute the query
There was an error while trying to start the query:
The query has been blocked in Humio by an administrator.
The matched blocklist entry is: /admin-[0-9]/

This helps you know what has happened and how future queries my be impacted. If you are concerned with this blocklist entry, you may pass along the pattern to an administrator, making it easy to locate in the blocklist.