Currently I use the elasticsearch filter to search for specific events that have occurred.
The index I am searching is index => "filebeat-*-%{+y}.%{+MM}.%{+dd}"
I'm looking to query both today's index and also yesterday's as events may overlap by a day.
Looking at the documentation here, it allows a comma-delimited list of index names to search however I am unable to work out the correct syntax to check for yesterday's date.
Originally I thought about using a similar method that appears to work in Watcher alerts as below to search both today and yesterday's indices however this doesn't appear to work in the elasticsearch filter.
index => "filebeat-*-{now-1d}, filebeat-*-{now}"
Any ideas on how to achieve this?
Cheers