Time based Index pattern expansion with aliases

tktr · March 10, 2017, 10:57am

I'm currently experiencing an issue with Kibana using time based index patterns with aliases. Basically, I have time based indices which are rotated daily in the form foo-YYYY.MM.DD . Each index uses filtered aliases bar and baz :

"aliases" : {
  "foo" : {
    "filter" : {
      "term" : {
        "attribute" : "foo"
      }
    }
  },
  "bar" : {
    "filter" : {
      "term" : {
        "attribute" : "bar"
      }
    }
  }
}

When using the index patterns bar and baz, queries using these patterns are always executed against all indices having the corresponding aliases which is a bit problematic in terms of performance.

For this reason, I tried to use a time based alias form for each index (corresponding date patterns are set for each day):

"aliases" : {
  "foo-YYYY.MM.DD" : {
    "filter" : {
      "term" : {
        "attribute" : "foo"
      }
    }
  },
  "bar-YYYY.MM.DD" : {
    "filter" : {
      "term" : {
        "attribute" : "bar"
      }
    }
  }
}

Using the index patterns bar-* and baz-*, all queries are executed against the indices foo-YYYY.MM.DD and not bar-YYYY.MM.DD and baz-YYYY.MM.DD as I would expect it. Hence, queries return all documents and not the ones with the attributes that should be filtered.

The only solution which I came up with until now is to use the latter alias form with the deprecated index pattern [bar]-YYYY.MM.DD .
Is there any other proper solution to achieve this without getting a performance penalty?

Elasticsearch: 5.2.2
Kibana: 5.2.2

Joe_Fleming · March 10, 2017, 7:44pm

This is something of a known issue, and it's caused by Kibana's caching of index mappings, and the use of a field_stats API in elasticsearch to "expand" an index pattern at query time. The short of it is, aliases aren't returned from the field_stats API, the underlying indices are, so those are used directly, the alias is not used, and so neither is the filter.

The easiest solution is to check Do not expand index pattern when searching (Not recommended) box when setting up the index pattern. This will prevent the index pattern "expansion" and just use the star pattern directly. There is a description of what this means in the interface, and I encourage you to read it before you just start using that as there are some trade-offs. But by checking that, it will use the alias directly.

system · April 7, 2017, 7:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.