From 341e880e3347fb96940b91774185cd77f177fad1 Mon Sep 17 00:00:00 2001 From: janosch Date: Tue, 1 Oct 2024 12:59:09 +0000 Subject: [PATCH] Prevent opensearch from aggregating across all indices. --- timesketch/api/v1/resources/sketch.py | 6 +++++- timesketch/lib/datastores/opensearch.py | 8 ++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/timesketch/api/v1/resources/sketch.py b/timesketch/api/v1/resources/sketch.py index 92af62cdba..576a457dd7 100644 --- a/timesketch/api/v1/resources/sketch.py +++ b/timesketch/api/v1/resources/sketch.py @@ -469,7 +469,11 @@ def get(self, sketch_id): stats_per_timeline=stats_per_timeline, last_activity=utils.get_sketch_last_activity(sketch), sketch_labels=[label.label for label in sketch.labels], - filter_labels=self.datastore.get_filter_labels(sketch.id, sketch_indices), + filter_labels=( + self.datastore.get_filter_labels(sketch.id, sketch_indices) + if sketch_indices + else [] + ), ) return self.to_json(sketch, meta=meta) diff --git a/timesketch/lib/datastores/opensearch.py b/timesketch/lib/datastores/opensearch.py index ff28a07cde..dcd573194d 100644 --- a/timesketch/lib/datastores/opensearch.py +++ b/timesketch/lib/datastores/opensearch.py @@ -714,6 +714,14 @@ def get_filter_labels(self, sketch_id, indices): Returns: List with label names. """ + # If no indices are provided, return an empty list. This indicates + # there are no labels to aggregate within the specified sketch. + # Returning early prevents querying OpenSearch with an empty + # index list, which would default to querying all indices ("_all") + # and could potentially cause performance issues or errors. + if not indices: + return [] + # This is a workaround to return all labels by setting the max buckets # to something big. If a sketch has more than this amount of labels # the list will be incomplete but it should be uncommon to have >10k