Skip to content

Commit

Permalink
Prevent opensearch from aggregating across all indices. (#3192)
Browse files Browse the repository at this point in the history
  • Loading branch information
jkppr authored Oct 1, 2024
1 parent 46b496b commit fa03fc9
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
6 changes: 5 additions & 1 deletion timesketch/api/v1/resources/sketch.py
Original file line number Diff line number Diff line change
Expand Up @@ -469,7 +469,11 @@ def get(self, sketch_id):
stats_per_timeline=stats_per_timeline,
last_activity=utils.get_sketch_last_activity(sketch),
sketch_labels=[label.label for label in sketch.labels],
filter_labels=self.datastore.get_filter_labels(sketch.id, sketch_indices),
filter_labels=(
self.datastore.get_filter_labels(sketch.id, sketch_indices)
if sketch_indices
else []
),
)
return self.to_json(sketch, meta=meta)

Expand Down
8 changes: 8 additions & 0 deletions timesketch/lib/datastores/opensearch.py
Original file line number Diff line number Diff line change
Expand Up @@ -714,6 +714,14 @@ def get_filter_labels(self, sketch_id, indices):
Returns:
List with label names.
"""
# If no indices are provided, return an empty list. This indicates
# there are no labels to aggregate within the specified sketch.
# Returning early prevents querying OpenSearch with an empty
# index list, which would default to querying all indices ("_all")
# and could potentially cause performance issues or errors.
if not indices:
return []

# This is a workaround to return all labels by setting the max buckets
# to something big. If a sketch has more than this amount of labels
# the list will be incomplete but it should be uncommon to have >10k
Expand Down

0 comments on commit fa03fc9

Please sign in to comment.