Hi
Our users do not want to understand and often ask general queries like: *:* or *logs*.
Such requests touch all of our logs and cause our cluster to crash.
Is there a chance to block the creation or search of such index templates. But at the same time, searching for narrower patterns should work, for example *logs-aaa*
You might have a hope with the new variable functions (i.e. using a regex to intercept a pattern and replace it what you don’t want with some really long garbage which is guaranteed to match no index)
What are the minimum criteria for allowing a double-wildcard in your business case?
*:*
*logs*
*logs-aaa* what is aaa?
We can give you a pre-build with this feature to test if you want.