Error message "Input: server timeout: please try again" while updating a detection in Panther

Last updated
Save as PDF

Issue

I am occasionally getting the error message "Input: server timeout: please try again" while updating a detection. When I refresh or reopen the page, I can see that the intended updates are in place. What could the issue be here?

Resolution

To bypass or improve this behavior:

If there are no external API connections you can use the panther_analysis_tool benchmark command to study and iterate on the performance of your rule.
We only run tests on the update for enabled rules, not disabled rules, so you can disable the rule before making changes and then re-enable it when you are done. Additionally, enabling/disabling rules from the detections page (rather than the individual rule page, i.e. bulk enable/disable) does not run the tests. However, if you do this, then you won’t have checked if your rule is still passing unit tests after saving.

Cause

This behavior seems to be a frontend timeout where the backend is still completing the task. One thing that could cause this would be slow-running unit tests. This might indicate that the detection contains known slow behaviors, such as regexes or using the detections cache.

The slowness probably comes from running the detection unit tests any time a change is made, no matter what the change is.