I am occasionally getting the error message "Input: server timeout: please try again" while updating a detection. When I refresh or reopen the page, I can see that the intended updates are in place. What could the issue be here?
To bypass or improve this behavior:
- If there are no external API connections you can use the
panther_analysis_tool benchmarkcommand to study and iterate on the performance of your rule.
- We only run tests on the
updatefor enabled rules, not disabled rules, so you can disable the rule before making changes and then re-enable it when you are done. Additionally, enabling/disabling rules from the detections page (rather than the individual rule page, i.e. bulk enable/disable) does not run the tests. However, if you do this, then you won’t have checked if your rule is still passing unit tests after saving.
This behavior seems to be a frontend timeout where the backend is still completing the task. One thing that could cause this would be slow-running unit tests. This might indicate that the detection contains known slow behaviors, such as regexes or using the detections cache.
The slowness probably comes from running the detection unit tests any time a change is made, no matter what the change is.