Disable search in all message

Hi,
We run Graylog 3.1.3 with 2 Graylog and 6 ES nodes.
The ES nodes is using SATA disks.
Some user used search in all message feature, that make my ES node being crashed because of “Out of java heap size”
My java heap size is 24GB.
We have 1k5 message input/output per sec.
Can I disable this feature?

Under System / Authentication -> Authentication you can remove permission to the stream for users and groups. Does that accomplish what you need?

I did that, but many users with access to their streams performed multiple “search in all message” queries at the same time.
I think I will retrain my people and hope that will be added to the new version of Graylog.
Thanks for the reply.

You can limit queries in System - Configurations - in section Search Configuration.

For example you can completely remote “Search in all messages” or change it to limit to 30 days for example, changing value from PT0S to P30D. Or you can add your own timeranges of you want.

https://docs.graylog.org/en/3.3/pages/searching/configuration.html#query-time-range-limit

Oh, i didn’t see that. Thank you very much.
But I found the reason: my Grafana use ES as a data source with many dashboards, that make my ES cluster crash when execute a lots of queries at the same time with long time range.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.