Using aliases to optimize queries from a dashboard

Good afternoon, at the moment I am consulting what is the best way to optimize the way many users consult from the dashboard. We have index_patterns that store information for more than one year and when users filter the boards for long periods of time the cluster starts to fail.

Have you considered using rollups to rollup your data after it has reached a certain age?

Greetings Lukas, it is a good option, however we are considering which is the best, they had told us that with an alias we could control the queries at the user level but I have not found an example of how it could be applied. That is to say that per user the history to be consulted could be limited, will it be possible?

Sure, that makes sense. If you create an alias, you can control which indices that alias points to, in order to restrict what the users will be able to query.

For example, if my indices are in the format logs-2021-02-05, I could create an alias, my-logs, that targets specific indices using the index alias APIs:

POST /_aliases
{
  "actions" : [
    { "add" : { "index" : "logs-2021-02-04", "alias" : "my-logs" } },
    { "add" : { "index" : "logs-2021-02-05", "alias" : "my-logs" } }
  ]
}

An alias can target any number of indices. You can also remove indices from an alias:

POST /_aliases
{
  "actions" : [
    { "remove" : { "index" : "logs-2020-02-04", "alias" : "my-logs" } }
  ]
}

Then, in Kibana, you can create an index pattern from the alias (in our example, my-logs).

Hope this helps!

thank you very much lukas, i think i should definitely consider creating ILM policies where i can manage indices at performance, resistance and retention level.

Lukas good afternoon, I have a question how I can force specific users or roles to only filter in kibana for short periods and not have a search option enabled for long periods as this slows down the cluster.