[Roles] Time range query in DLS filter

Elasticsearch version:
7.9.3 + sg plugin 47.0.0
Server OS version:
Centos 7
Kibana version
Kibana 7.8.1 + kibana sg plugin 43.0.0

I would like to add dls filter into sg role.
I tried a few different queries but without succes.

Here what i tried:

{"query": { "bool": {"must": [ {"range": { "@timestamp": { "gte": "now-90d/d" } }} ]} } }

{ "query": { "bool": {"must": [ {"match_all":{}},{"range": { "@timestamp": { "gte": "now-90d/d" } }} ]} }}

{ "bool": {"must": [ {"match_all":{}},{"range": { "@timestamp": { "gte": "now-90d/d" } }} ]} }

{ "bool": {"must": [ {"match_all":{}},{"range": { "@timestamp": { "gte": "now-90d/d", "lte": "now/d" } }} ]} }

I added role without dls filter, afterthat i added index-pattern of that index. When i modifed role and added dls filter, in Discover i have this info:

  "took": 4498,
  "timed_out": false,
  "_shards": {
    "total": 1014,
    "successful": 991,
    "skipped": 991,
    "failed": 23,
    "failures": [
        "shard": 0,
        "index": "network-devices-dd-2021.06.03-000037",
        "node": "MKPoUHwvRGOLUDbQ2A8XdQ",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: could not read the current timestamp",
          "index_uuid": "q63yv0ORRWWs9Rpo0BPQhw",
          "index": "network-devices-dd-2021.06.03-000037",
          "caused_by": {
            "type": "parse_exception",
            "reason": "could not read the current timestamp",
            "caused_by": {
              "type": "illegal_argument_exception",
              "reason": "'now' is not allowed in DLS queries"

Would you be so kind and help with that query?

Hello Patryk!

Search Guard DLS explicitly disallows the use of now in DLS queries. The reason for this it is that the current time (=now) must be evaluated on every shard separately when using DLS and so the resolved “now” date would not be consistent across different nodes and even shards. If operating on a scale like hours or days this is not a concern but if operating on ms or sec level the results can be inconsistent.

If these circumstances are not a concern for you, you can add the option searchguard.unsupported.allow_now_in_dls: true to elasticsearch.yml. However, as the name of the option says, please be aware that this is an experimental and unsupported configuration.

Ok thank you so much for the fast answer

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.