Create a data view

arcsons · March 5, 2025, 9:52pm

Hi everyone,

I have two hosts that I want to add to a Data View. Their logs are being sent to this data stream

.ds-logs-elastic_agent.fleet_server-default-2025.02.04-000004

I have tested using an alias with a filter, but this approach is not supported. How can I manage this in the best possible way?

Thanks for your help!

POST /_aliases

{
"actions": [
{
"add": {
"index": ".ds-logs-elastic_agent.fleet_server-default*",
"alias": "test-alias",
"filter": {
"wildcard": {
"agent.name": "srv0</em>"
}
}
}
}
]
}

Error:
Then I got error Data stream backing indices don't support aliases.

carly.richmond · March 6, 2025, 9:54am

Hi @arcsons,

Do you need to create the data view via an API? You can use the data view creation screen in Kibana, or alternatively create the data view using the create API.

Hope that helps!

arcsons · March 7, 2025, 7:47am

Hi Clary, Sure I can create the data view in the GUI.
But how can I do an alias or filter to the two hosts?

carly.richmond · March 7, 2025, 9:49am

Why do you need to create an alias? This error is covered in this related post, and you'll see that the data stream name is effectively an alias.

Are you needing to filter the data for a particular visualization or dashboard? If so you can use the filters at the top.

Hope that helps!

arcsons · March 7, 2025, 2:29pm

I don't know if I need alias and filter. But I want a Data View with name App1 and it contains logs from 2 specific hosts. Sorry if I'm not clear enough.

leandrojmp · March 7, 2025, 2:35pm

You need to add the alias to the data stream, not the backing indices.

Try to use logs-elastic_agent.fleet_server-default instead.

arcsons · March 9, 2025, 2:40pm

Let say I have 100+ agents on that index. How can I then filter out 2 specific ones?

leandrojmp · March 9, 2025, 3:41pm

Using a query filter in the same way you were doing in the first post, but you need to check if the filters is correct with a query and to target the data stream, not a backing indice.

The main question is, what is the reason behind of creating a filtered data view?

arcsons · March 9, 2025, 3:52pm

For me its like a link or bookmark to a specific application.

arcsons · March 11, 2025, 9:25am

Is there something wrong with using data views in that way? For me its handy to have a list with different shortcuts to logs.

leandrojmp · March 11, 2025, 12:08pm

I would say that it is a bad approach because you may end up with a lot of data views, which can add confusion.

Also, Dashboards and Security Rules are created based on the data view, so you may need duplicate dashboards and security rules if you are going to use them.

It is way more common to just filter by the hosts you want on Discover or Dashboard, be it by adding a filter on the moment you are using or by using a saved search in discover with the filter already saved.

Topic		Replies	Views
Encountering 'Name must match one or more data streams, indices, or index aliases' error when creating a data view in Kibana 8 Discover section Kibana	5	2524	September 13, 2023
Create a dashboard using two different Data stream index Elasticsearch	4	269	April 4, 2022
Migrate to datastreams withou aliases + datastreams filter Elasticsearch datastreams	4	346	February 16, 2023
Create data view api Elasticsearch	1	315	March 3, 2023
A clarification about index aliases is needed here Elasticsearch	9	1198	July 5, 2017

Create a data view

Related topics