Configure queries to block
In certain situations, you might want to control what queries are being sent to your Mimir installation. These queries might be intentionally or unintentionally expensive to run, and they might affect the overall stability or cost of running your service.
You can block queries using per-tenant overrides:
overrides:
"tenant-id":
blocked_queries:
# block this query exactly
- pattern: 'sum(rate(node_cpu_seconds_total{env="prod"}[1m]))'
# block any query matching this regex pattern
- pattern: '.*env="prod".*'
regex: true
To set up runtime overrides, refer to runtime configuration.
Note
The order of patterns is preserved, so the first matching pattern will be used.
Format queries to block
Use Mimirtool’s mimirtool promql format <query>
command to apply the Prometheus formatter to a query
for use in a blocked query pattern
.
Queries received by Mimir are parsed into PromQL expressions before blocking is applied.
The pattern
from the blocked queries is compared against the formatted representation of the parsed query,
in order to allow consistent query blocking behavior regardless of formatting differences in the submitted queries.
Among other transformations the Prometheus formatter may reorder operators, remove empty selector braces, and eliminate newlines, extraneous whitespace, and comments.
Formatted query examples
Empty selector braces removed:
mimirtool promql format 'foo{}'
foo
Operators reordered:
mimirtool promql format 'sum(container_memory_rss) by (namespace)'
sum by (namespace) (container_memory_rss)
Newlines, extra whitespace, and comments eliminated:
mimirtool promql format '
rate(
metric_counter[15m] # comment 1
) /
rate(
other_counter[15m] # comment 2
)
'
rate(metric_counter[15m]) / rate(other_counter[15m])
View blocked queries
Blocked queries are logged, as well as counted in the cortex_query_frontend_rejected_queries_total
metric on a per-tenant basis.