Version

All

Issue

Process search times out for digsig_result:”Unsigned”

Symptoms

UI shows a time out error

Cause/Solution

Using a binary property within a process search results in a joined search. These searches are extremely resource intensive and time consuming, and the broader the search is the more documents will match and therefore the more process documents will need to be visited during the course of the search. This helps explains why digsig_result searches on terms such as Bad Signature, Invalid Signature, and Expired generally lead to successful page loads: there would normally be an order of magnitude less of these binaries and a correspondingly low number of process documents relating to the execution of these binaries. When performing the broadest of process searches using a binary field, such as digsig_result: "Signed", you will get back a result of every signed binary known to the system, then visit every process document corresponding to each one of those binaries.

Performing broad process searches using binary fields is therefore discouraged as they are impractical in terms of time to completion and resource consumption and they are likely to time out in the user interface. If process searches with binary fields must be performed we advise that they be joined with process fields such that the overall set of results is narrowed thereby leading to an increased likelihood of search completion within the time allowed by the UI. It is better practice to use facets and/or add criteria dialogs to reduce the target set (by time, by host, by group etc) and than run the free form search. "Add Criteria" dialogs and facets are performed ahead of the "q-term" submitted using the free form search and therefore help reduce the set the latter will have to execute over.