Skip to content

Add MongoDB indices for analysis fields #2079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JSCU-CNI wants to merge 1 commit into from
Closed

Add MongoDB indices for analysis fields #2079

JSCU-CNI wants to merge 1 commit into from

Conversation

@JSCU-CNI
Copy link
Contributor

@JSCU-CNI JSCU-CNI commented Apr 22, 2024

This PR adds keyword indices for certain fields in the analysis collection. This massively improves load time when accessing an individual analysis result in CAPE on large MongoDB instances.

CAPE uses one large OR-query when loading an analysis result which is why we opted for a separate index for every field on which the aggregation is run. The query also looks for exact matches so the fields are indexed as keyword instead of text.

@JSCU-CNI
Add MongoDB indices for certain analysis fields
5ea47d8 
This massively improves load time when accessing an individual analysis result in CAPEv2 on large MongoDB instances.
nbargnesi
nbargnesi reviewed Apr 22, 2024
View reviewed changes
lib/cuckoo/core/startup.py
"procmemory.file_ref",
]
for item in items:
mongo_create_index(
Copy link
Contributor

@nbargnesi nbargnesi Apr 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will take a very long time for a lot of CAPE installations - terabyte scale is common. Probably better to do this in the utils somewhere and emit a warning if the indices aren't found.

Copy link
Contributor Author

@JSCU-CNI JSCU-CNI May 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where exactly do you suggest we should put this?

Copy link
Contributor

@nbargnesi nbargnesi May 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest as a new module in utils, mongodb_indices or something appropriately named.

In the startup module you can check the indices are there and emit a warning if they're missing.

Note too, the difference between doing it in startup and utils. Putting it in utils means we can add indices out-of-band, while CAPE continutes to run. Great way of making things faster incrementally without bringing CAPE down by touching startup.

@doomedraven
Copy link
Collaborator

doomedraven commented Jun 30, 2025

this is obsolete now, i have added indexes for md5 and sha256 + rewrote the searching

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nbargnesi nbargnesi nbargnesi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JSCU-CNI @doomedraven @nbargnesi