Update client search documentation

Question

Update client search documentation

destijl opened this issue 10 years ago · 7 comments

https://github.com/google/grr-doc/blob/master/user_manual.adoc#searching-for-a-client

Answer 1 · 2015-04-16T00:58:48.000Z

I notice that . doesn't seem to work in HEAD, this is extremely helpful in testing when you're spinning machines up and down and you don't have anything sensible to search for.
What is the replacement for that? or is it a bug?

Answer 2 · 2015-04-16T06:13:31.000Z

Regex search is now deprecated. You must search for the exact hostname
which is indexed. A . search will not work for anything but a play
installation anyway.
Am 16.04.2015 02:58 schrieb "Darren Bilby" notifications@github.com:

I notice that . doesn't seem to work in HEAD, this is extremely helpful in
testing when you're spinning machines up and down and you don't have
anything sensible to search for.
What is the replacement for that? or is it a bug?

—
Reply to this email directly or view it on GitHub
#12 (comment).

Answer 3 · 2015-04-16T07:20:10.000Z

I understand the why, but it doesn't change the fact that 99% of installations are 'play' installations for which . searches were very useful.
Something like an 'all' keyword in the search box that did a rowscan would make me happy.

Answer 4 · 2015-04-16T07:29:05.000Z

IIRC we planned to do 2 things:

Keep the "." search for backwards compatibility.
Make search for empty string equivalent to "." search.

Or am I missing something?

Answer 5 · 2015-04-16T08:20:57.000Z

The new keyword search is just a keyword search, so regexes don't work. However, quite a few things become keywords, and I will try to update the docs today.

I didn't prioritize having a "list all clients" functionality, because it didn't seem relevant for actual incident response, and because it becomes inherently slow as the installation becomes large. For most testing purposes, the popular keywords "windows", "linux", "darwin" work fine.

That said, I do plan to make the empty string return all clients. Hopefully I will get this in in the next day or two. (I somehow thought that the aff4 datastore interface would provide an efficient way to list all clients which exist.... as far as I can tell, it does not, so the solution will be a bit of hack.)

If people really want "." as a synonym for an empty query, I guess there is no real problem adding a special case for it, but then people might expect other regexes to work, and we are moving away from that model because it doesn't fit with large scale searching.

Answer 6 · 2015-04-16T17:23:30.000Z

Ben has just submitted a change to support "." as we agreed earlier. I filed this bug because users have no way of discovering that "windows" is now a search term. We've been training people to use "." for a few years, so it needs to stay until we have something more intuitive, especially for small test installs.

Answer 7 · 2016-02-12T00:59:06.000Z

Looks like documentation is now up to date.