Hi,
I was wondering if anyone could help me with my problem:
I have a template and number of indices are mapped using the template.
i.e.
cdr_xyz_1234
cdr_xyz_5689
cdr_xyz_9876
I run a search query on all the indices and it works fine
GET cdr_xyz_*/_search
{
"size": 10000,
"query": {
"bool": {
"filter": [
{
"range": {
"call_datetime_iso": {
"gte": "2019-11-20"
}
}
}
]
}
}
}
but if I run a aggregate search query
GET cdr_xyz_*/_serach
{ "size" : 0,
"query":
{"bool":
{"must":
[
{"match": {"call_type": "MOBILE"}}
]
}
},
"aggs":
{"account":
{"terms": {"field": "accountid.keyword"},
"aggs":
{"calls_over_time":
{"date_histogram":
{"field": "call_datetime_iso", "interval": "week"}
}
}
}
}
}
I get this
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:admin/create] is unauthorized for user [elastic]"
}
],
"type": "security_exception",
"reason": "action [indices:admin/create] is unauthorized for user [elastic]",
"caused_by": {
"type": "illegal_state_exception",
"reason": "There are no external requests known to support wildcards that don't support replacing their indices"
}
},
"status": 403
}
I even created a user with the role which has "cdr_xyz_*" all privileges but still get the same error.
Could you please tell me how to resolve this issue.
Many thanks