Best way to look for a doc across multiple indices?

ishanjain · June 23, 2020, 2:41am

Hello everyone!

Kibana saves alerts in a index .opendistro-alerting-alerts and when the alert completes, It moves it to .opendistro-alerting-alert-history.yyyy.mm.

I have a check-incident function in a step-function on AWS. check-incident runs every 2 minutes and checks the status of the incident.

Right now, I am using Get endpoint to fetch this doc from .opendistro-alerting-alerts but this fails when the incident is actually completed since the doc is no longer present in this index.

So, What is the best way to look for a doc across multiple indexes? I want to look for a doc with id X across .opendistro-alerting-alert*. I believe, Get endpoint doesn't accept wildcards. So, What is the best way to do this?

ishanjain · June 23, 2020, 5:36pm

Resolved by using a search query on the matching indices. i.e. .opendistro-alerting-alert*.

{
  "query": { 
    "bool": { 
      "filter": [ 
        { "term":  { "_id": "<id goes here>" }}
      ]
    }
  }
}

I am not sure if this is the most efficient way to look for a id in a set of indices but it works and we don't run this often enough that it'll generate perf problems for us soo, I guess this is fine.

system · July 21, 2020, 5:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.