Open rachaelshaw opened 1 month ago
@rachaelshaw It seems we had the 1000 hardcoded on the UI too. https://github.com/fleetdm/fleet/blob/30e4b252aa892222bbb9eb637bcdadeac9dbdfe5/frontend/pages/queries/details/QueryDetailsPage/QueryDetailsPageConfig.tsx#L15 https://github.com/fleetdm/fleet/blob/30e4b252aa892222bbb9eb637bcdadeac9dbdfe5/frontend/pages/queries/details/QueryDetailsPage/QueryDetailsPage.tsx#L202-L203
So I added a report_clipped: boolean
response field to the GET /api/latest/fleet/queries/$query_id/report
API. (Same field we already have in GET /api/latest/fleet/hosts/$host_id/queries/$query_id
.)
Let me know if this makes sense.
@lucasmrod sounds good! Updated the API changes in the description
Hey @rachaelshaw, tracking the TODO from our discussion during product design review in this issue so we see it during confirm and celebrate:
TODO Rachael: Update GitOps reference docs to call out that you should enable reports for one query at time and monitor your infrastructure
UPDATE: Add PR for API changes.
Hey @zayhanlon & @Patagonia121 this story has shipped but before we notify customers we want to make sure docs PR is merged. See the comment above for TODO docs.
Goal
Currently, for queries that run on >1000 hosts, query reports in the Fleet UI serve as previews of the data returned, rather than true reports of the latest results. (Those users need to send data to a log destination in order to build a complete up-to-date report, since reports in Fleet are clipped at 1,000.)
Context
Changes
Product
server_settings.query_report_cap
to Fleet configuration APIreport_clipped
toGET /api/latest/fleet/queries/:query_id/report
responseEngineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation