Prevent searches using certain patterns

Our users do not want to understand and often ask general queries like: *:* or *logs*.
Such requests touch all of our logs and cause our cluster to crash.
Is there a chance to block the creation or search of such index templates. But at the same time, searching for narrower patterns should work, for example *logs-aaa*

{“customer_id”: “6c4a385b-2ae8-4f02-a9cd-ef24addfb5b3”, “subscription_id”: “32d4073f-dc2f-4056-a868-842727c637cd”}

Interesting problem @driveirk.

You might have a hope with the new variable functions (i.e. using a regex to intercept a pattern and replace it what you don’t want with some really long garbage which is guaranteed to match no index)

What are the minimum criteria for allowing a double-wildcard in your business case?

  • *:* :x:
  • *logs* :x:
  • *logs-aaa* :white_check_mark: what is aaa?

We can give you a pre-build with this feature to test if you want.