Increase maximum Osquery timeout to 24 hours (elastic#207276)

Some Osquery queries are expected to be long running. To accommodate this, increase the maximum timeout in the query creation UI to 24 hours (86400 seconds). 24 hours should allow most long-running queries, while still having a limit that ensures misbehaving queries do not block others for an extremely long time. Relates to elastic/beats#42352. Osquerybeat will also increase its timeout limit to 24h, this change will allow the higher timeout to be set by users in Kibana. (cherry picked from commit 81a57e0)
kibanamachine · Jan 31, 2025 · c887867 · c887867
1 parent 170d533
commit c887867
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/x-pack/platform/plugins/shared/osquery/common/constants.ts b/x-pack/platform/plugins/shared/osquery/common/constants.ts
@@ -32,5 +32,5 @@ export const API_VERSIONS = {
 
 export enum QUERY_TIMEOUT {
   DEFAULT = 60, // 60 seconds
-  MAX = 60 * 15,
+  MAX = 60 * 60 * 24, // 24 hours
 }
diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query.cy.ts
@@ -37,12 +37,12 @@ describe('ALL - Live Query', { tags: ['@ess', '@serverless'] }, () => {
     cy.contains('Query is a required field').should('not.exist');
     checkResults();
     getAdvancedButton().click();
-    fillInQueryTimeout('910');
+    fillInQueryTimeout('86410');
     submitQuery();
-    cy.contains('The timeout value must be 900 seconds or or lower.');
+    cy.contains('The timeout value must be 86400 seconds or or lower.');
     fillInQueryTimeout('890');
     submitQuery();
-    cy.contains('The timeout value must be 900 seconds or or lower.').should('not.exist');
+    cy.contains('The timeout value must be 86400 seconds or or lower.').should('not.exist');
     typeInOsqueryFieldInput('days{downArrow}{enter}');
     submitQuery();
     cy.contains('ECS field is required.');