This PR addresses an issue where Timesketch attempts to execute an OpenSearch query with an empty index list when fetching labels for sketches without active timelines. This defaults to querying _all indices, which can lead to performance issues and the "got more than 100 headers" error due to excessive task management headers and/or large responses in the aggregation.
The following changes were made:
In the SketchResource.get function (timesketch/api/v1/resources/sketch.py), a conditional check was added to ensure get_filter_labels is called only if sketch_indices is not empty. If the list is empty (no indices to query), an empty list is directly assigned to filter_labels in the metadata.
In the get_filter_labels function (timesketch/lib/datastores/opensearch.py) a check was added at the beginning of the function to immediately return an empty list if the provided indices parameter is empty. This prevents the aggregation query from being constructed and executed unnecessarily. Explanatory comments were added to clarify the purpose of these changes.
These modifications prevent querying _all indices with empty sketch_indices, improving performance and preventing header limit errors when fetching sketch details for empty sketches or sketches without active timelines.
This PR addresses an issue where Timesketch attempts to execute an OpenSearch query with an empty index list when fetching labels for sketches without active timelines. This defaults to querying
_allindices, which can lead to performance issues and the "got more than 100 headers" error due to excessive task management headers and/or large responses in the aggregation.The following changes were made:
SketchResource.getfunction (timesketch/api/v1/resources/sketch.py), a conditional check was added to ensureget_filter_labelsis called only ifsketch_indicesis not empty. If the list is empty (no indices to query), an empty list is directly assigned tofilter_labelsin the metadata.get_filter_labelsfunction (timesketch/lib/datastores/opensearch.py) a check was added at the beginning of the function to immediately return an empty list if the providedindicesparameter is empty. This prevents the aggregation query from being constructed and executed unnecessarily. Explanatory comments were added to clarify the purpose of these changes.These modifications prevent querying
_allindices with emptysketch_indices, improving performance and preventing header limit errors when fetching sketch details for empty sketches or sketches without active timelines.Closing issues
closes #3191