Menu
Open source

Configure queries to block

In certain situations, you might want to control what queries are being sent to your Mimir installation. These queries might be intentionally or unintentionally expensive to run, and they might affect the overall stability or cost of running your service.

You can block queries using per-tenant overrides:

yaml
overrides:
  "tenant-id":
    blocked_queries:
      # block this query exactly
      - pattern: 'sum(rate(node_cpu_seconds_total{env="prod"}[1m]))'

      # block any query matching this regex pattern
      - pattern: '.*env="prod".*'
        regex: true

To set up runtime overrides, refer to runtime configuration.

Note

The order of patterns is preserved, so the first matching pattern will be used.

Format queries to block

Use Mimirtool’s mimirtool promql format <query> command to apply the Prometheus formatter to a query for use in a blocked query pattern.

Queries received by Mimir are parsed into PromQL expressions before blocking is applied. The pattern from the blocked queries is compared against the formatted representation of the parsed query, in order to allow consistent query blocking behavior regardless of formatting differences in the submitted queries.

Among other transformations the Prometheus formatter may reorder operators, remove empty selector braces, and eliminate newlines, extraneous whitespace, and comments.

Formatted query examples

Empty selector braces removed:

bash
mimirtool promql format 'foo{}'
console
foo

Operators reordered:

bash
mimirtool promql format 'sum(container_memory_rss) by (namespace)'
console
sum by (namespace) (container_memory_rss)

Newlines, extra whitespace, and comments eliminated:

bash
mimirtool promql format '
rate(
  metric_counter[15m] # comment 1
) /
rate(
  other_counter[15m] # comment 2
)
'
console
rate(metric_counter[15m]) / rate(other_counter[15m])

View blocked queries

Blocked queries are logged, as well as counted in the cortex_query_frontend_rejected_queries_total metric on a per-tenant basis.