Filtered index alias not working

mheck · January 19, 2018, 1:28pm

I want to use an Index alias with a filter to have an index which only contains documents with a certain property set to a specific value.

I added the following filter:

{
  "filebeat-2018.01": {
    "aliases": {
      "filebeat-GTVMA480-2018.01": {
        "filter": {
          "term": {
            "host": "GTVMA480"
          }
        }
      }
    }
  }
}

So I want all documents with host:GTVMA480.

When I search in Kibana for host:GTVMA480 in index filebeat-2018.01, i can find the documents, but when I search in the alias index, i don't get any documents.

Here is an excerpt of my mappings:

"host": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }

I'm on ES 6.0.0

What do I need to change?

Thanks in advance!

val · January 19, 2018, 3:17pm

Great job, you're on the right track! You simply need to use the keyword sub-field in your alias filter, like this and it'll work like a charm:

{
  "filebeat-2018.01": {
    "aliases": {
      "filebeat-GTVMA480-2018.01": {
        "filter": {
          "term": {
            "host.keyword": "GTVMA480"        <-- use the keyword field here
          }
        }
      }
    }
  }
}

system · February 16, 2018, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.