How to update alias to capture new matching index patterns?

Elastic Stack Kibana
1

TL;DR

How do I continuously update an alias to capture new matching index patterns?

Longer Version...

We use a non-standard format that looks like this:

myapp-beatname-version-YYYY.mm.dd

I.e., a heartbeat index will look like:

myapp-heartbeat-7.2.0-2019.08.06

When using the Uptime module, the heartbeat documentation notes that the Uptime module matches the index pattern heartbeat-7* and suggests using an alias if the index format doesn't match that. However, the alias documentation makes it clear that the following alias specification:

{
    "actions" : [
        { "add" : { "index" : "*-heartbeat-*", "alias" : "heartbeat-7.x.x" } }
    ]
}

However, the index alias documentation states that:

In this case, the alias is a point-in-time alias that will group all current indices that match, it will not automatically update as new indices that match this pattern are added/removed.

Obviously, this does not work well with the Uptime module, where the alias must continuously update and capture newly-created aliases.

I'm certain there is a way around this, but I'm still enough of a novice in the ELK stack that I don't see it and haven't been able to find it in my searches.

2

I've reached out to the Uptime team, so hopefully someone from there will weigh in. Looking at it, it does look as if there isn't a good solution. The only thing I can think of is to have some script that updates the alias whenever it detects a new index pattern. :confused: That's obviously not ideal. However, since your index patterns are day-based, you could run the script once a day, so it probably wouldn't be too complex or slow.

3

Thanks.

As I read the index alias documentation further, it appears that it's possible to add an index assignment to the template, which means that it would automatically add itself to that alias when the daily index is created.

However, the question I have regarding this is then whether indices with a heartbeat-7.x.x-YYYY.mm.dd pattern would appear twice in Uptime - once from the original index, once from the heartbeat-7.x.x alias.

4

My workaround for this was to add the following to the template:

"aliases": {
  "heartbeat-7.3.0-alias": {}
},

This has resolved the issue. I already use a script to upload templates to Elasticsearch. This script also edits the templates on the fly to add an additional index pattern match in order to apply it to our alternate index-name convention, so I should be able to update it to add the alias on the fly as well.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.