search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.16k stars 432 forks source link

Target hosts via live query w/ labels: AND filter #23881

Open iansltx opened 1 week ago

iansltx commented 1 week ago

Problem

In #23015, @dherder mentioned that he expected labels specified in fleetctl query to be ANDed rather than ORed (with some nuances). The existing endpoint (and the UI in front of it) uses OR logic here, so you can run a query on "any of these hosts plus any host that has at least one of these labels", but you can't effectively use labels as faceted search to, for example, only run a live query on Macs with low disk space (I believe those are both built-in labels, which per the relevant endpoint docs would be OR'd).

What have you tried?

I tried filtering hosts in the UI (so I could potentially get a list of host names to feed into fleetctl that have all of the specified labels), but I can't get more than one label to select at a time from initial investigations.

Potential solutions

Add a "required_labels" field to the existing endpoint, which would filter to hosts that only matched all of the required labels, rather than just any of them, and either add a non-comma delimiter to fleetctl to populate that field or add a new flag that uses comma delimiters but filters the entire result set by AND'd labels (potentially deprecating the exsting --labels CLI option in favor of something that's more clearly named).

What is the expected workflow as a result of your proposal?

I can run a live query on hosts that are associated with every label I specify.

noahtalerman commented 6 days ago

Problem

In #23015, @dherder mentioned that he expected labels specified in fleetctl query to be ANDed rather than ORed (with some nuances). The existing endpoint (and the UI in front of it) uses OR logic here, so you can run a query on "any of these hosts plus any host that has at least one of these labels", but you can't effectively use labels as faceted search to, for example, only run a live query on Macs with low disk space (I believe those are both built-in labels, which per the relevant endpoint docs would be OR'd).

What have you tried?

I tried filtering hosts in the UI (so I could potentially get a list of host names to feed into fleetctl that have all of the specified labels), but I can't get more than one label to select at a time from initial investigations.

Potential solutions

Add a "required_labels" field to the existing endpoint, which would filter to hosts that only matched all of the required labels, rather than just any of them, and either add a non-comma delimiter to fleetctl to populate that field or add a new flag that uses comma delimiters but filters the entire result set by AND'd labels (potentially deprecating the exsting --labels CLI option in favor of something that's more clearly named).

What is the expected workflow as a result of your proposal?

I can run a live query on hosts that are associated with every label I specify.

noahtalerman commented 6 days ago

Hey @iansltx and @dherder thanks for tracking this one. We're going to set this one to the side for now b/c it doesn't meet the criteria for prioritization: https://fleetdm.com/handbook/company/product-groups#criteria-for-prioritization