Bug #6857
closedSearch hosts view generates too broad database queries
0%
Description
The Hosts tab in Mentat corresponding to the Search hosts view leads to a database query that is too broad and wastes system resources (and takes too long to execute).
The view allows to display results for a single IP address, yet it generates a DB query such as:
SELECT * FROM events AS "_mentatq(83_eaedjv)_" INNER JOIN events_json USING(id) WHERE "detecttime" >= '2020-12-29T12:00:00+00:00'::timestamptz AND "detecttime" <= '2021-01-05T12:00:00+00:00'::timestamptz
The scope of the query could be decreased, from at least two angles:
1. The returned data set could be filtered to only contain events related to the IP queried.
2. Returning all metadata columns JOINed by the JSON document is redundant, most of the data is read, formatted and transferred, but not processed afterwards.
Related issues
Updated by Radko Krkoš almost 4 years ago
A test run on mentat-hub for a single IP address not present took 5 minutes and 23 seconds, a rerun did not finish after 12 minutes (the query is heavily IO bound).
Updated by Radko Krkoš almost 4 years ago
- Assignee changed from Jan Mach to Radko Krkoš
Updated by Pavel Kácha almost 4 years ago
Well, question is - isn't this usecase already covered (also in a more optimized way) by Timeline?
Updated by Radko Krkoš almost 4 years ago
Exactly, but I cannot answer that, hence the To be discussed flag.
Updated by Radko Krkoš almost 4 years ago
- Status changed from New to Deferred
- Assignee deleted (
Radko Krkoš) - To be discussed changed from Yes to No
Based on videocall, this is a (somewhat) deprecated feature, it will be configured to only be accessible by admins and its role taken over by the Timeline feature. One day, this might be revisited and the implementation improved, if distinct (from Timeline) use cases are found.
Updated by Pavel Kácha almost 4 years ago
- Related to Feature #6926: Replace Hosts by Timeline added
Updated by Pavel Kácha over 3 years ago
- Status changed from Deferred to Closed
Originally deferred, but closing - if we decide to revive it, it will have to be reviewed thoroughly and reworked anyway.