Best way to look for a doc across multiple indices?

ishanjain · June 23, 2020, 2:41am

Hello everyone!

Kibana saves alerts in a index .opendistro-alerting-alerts and when the alert completes, It moves it to .opendistro-alerting-alert-history.yyyy.mm.

I have a check-incident function in a step-function on AWS. check-incident runs every 2 minutes and checks the status of the incident.

Right now, I am using Get endpoint to fetch this doc from .opendistro-alerting-alerts but this fails when the incident is actually completed since the doc is no longer present in this index.

So, What is the best way to look for a doc across multiple indexes? I want to look for a doc with id X across .opendistro-alerting-alert*. I believe, Get endpoint doesn't accept wildcards. So, What is the best way to do this?

ishanjain · June 23, 2020, 5:36pm

Resolved by using a search query on the matching indices. i.e. .opendistro-alerting-alert*.

{
  "query": { 
    "bool": { 
      "filter": [ 
        { "term":  { "_id": "<id goes here>" }}
      ]
    }
  }
}

I am not sure if this is the most efficient way to look for a id in a set of indices but it works and we don't run this often enough that it'll generate perf problems for us soo, I guess this is fine.

system · July 21, 2020, 5:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Opendistro Alerting indices retrieves nothing Kibana	2	307	July 6, 2022
Alerts in kibana are not getting trigger Kibana	3	339	July 31, 2022
Create Alert by Comparing 2 fields in 2 indexes Kibana elastic-stack-alerting	3	555	October 31, 2021
Query Predicated on Another Elasticsearch	2	451	October 20, 2017
Little help understanding a document query issue Elasticsearch elastic-stack-security , fleet	1	129	January 30, 2024

Best way to look for a doc across multiple indices?

Related topics