How to Avoid an RQL Query Timeout in the Investigate Tab in Prisma Cloud?

• How to Avoid an RQL Query Timeout in the Investigate Tab in Prisma Cloud?

• Prisma Cloud
• RQL

1. No resources available in the onboarded cloud accounts to match the query.
2. The RQL query timed out.

To confirm the above scenarios, consider the following examples.

1. In RQL query 1, we only see the "No Results Available" message that indicates no cloud resources available to match this query
2. However, in RQL query 2, with the "No Results Available" message we also see the 3 tabs pertaining to "Searches" below the query, that indicate an RQL query timeout.

RQL query 2 : Identify all running instances in "all onboarded cloud accounts" that are using an AMI not owned by managed accounts.



Cause

• When running an RQL query in Investigate tab, the backend will query the database for references that match the filter we input.
• In RQL query 2, the backend queried the database for resources in all onboarded cloud accounts matching the query
• In situations when there are too many resources to sort through in 3 mins, the RQL query may timeout, as seen in the above example.

Workaround

1. To avoid RQL query to timeout, filter it to scan a smaller segment i.e. either a particular account or account group
2. In the following example, cloud.account = 'RDS AWS Test' is added to filter the RQL query to a particular account.