Alias with filter doesn't work with Opensearch

Hello, I used aliases a lot before. and in OpenSearch can’t make them working properly. Doesn’t matter what filter I put - I always see whole index.

1 Like

Wondering if anyone managed to resolve this issue? as also encountering this issue on Opensearch 2.4.0.

@samlo Could you share details of your scenario with examples?

@pablo sure, for an e.g. this is a filtered alias created on the security-auditlog index filtering.

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "security-auditlog-2023.05.01",
        "alias": "security_index_event",
        "filter": {
          "term": {
            "audit_category.keyword": "INDEX_EVENT"
          }
        }
      }
    }
  ]
}

This is the index mapping for the security-auditlog index

...
     "audit_category" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
...

The expectation is that using the filtered alias to query should only return docs with "audit_category.keyword": "INDEX_EVENT". However, the filtered alias search result seems to be returning the entire unfiltered index.

@samlo I’ve tried to repro your issue but I couldn’t
I’ve used your API call to create an alias.

POST security_index_event/_search
{
  "size": 1,
  "docvalue_fields": ["audit_category.keyword"],
  "stored_fields": [],
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "audit_category.keyword": "FAILED_LOGIN"
          }
        }
      ]
    }
  }
}
{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

When I change the category to INDEX_EVENT, I get the below output.

{
  "took" : 8,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 76,
      "relation" : "eq"
    },
    "max_score" : 0.0,
    "hits" : [
      {
        "_index" : "security-auditlog-2023.07.18",
        "_id" : "fDxdaIkBk65FlbL_-UyZ",
        "_score" : 0.0,
        "fields" : {
          "audit_category.keyword" : [
            "INDEX_EVENT"
          ]
        }
      }
    ]
  }
}

@samlo Could you run the below queries and share the outputs?

GET security-auditlog-2023.07.18/_search
{
  "size": 0, 
  "aggs": {
    "audit_category": {
      "terms": {
        "field": "audit_category.keyword"
      }
    }
  }
}
GET security_index_event/_search
{
  "size": 0, 
  "aggs": {
    "audit_category": {
      "terms": {
        "field": "audit_category.keyword"
      }
    }
  }
}

These are the outputs:

# GET security-auditlog-2023.07.18/_search
{
  "took" : 14,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 5671,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "audit_category" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "INDEX_EVENT",
          "doc_count" : 5296
        },
        {
          "key" : "SSL_EXCEPTION",
          "doc_count" : 375
        }
      ]
    }
  }
}

# GET security_index_event/_search
{
  "took" : 10,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 4354,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "audit_category" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "INDEX_EVENT",
          "doc_count" : 3860
        },
        {
          "key" : "SSL_EXCEPTION",
          "doc_count" : 494
        }
      ]
    }
  }
}

@samlo The aggregation queries show that your filter in the alias doesn’t work.
Would you mind sharing the output of the below API call?

GET security_index_event

@pablo this is the output of GET security_index_event

{
  "security-auditlog-2023.05.01" : {
    "aliases" : {
      "security_index_event" : {
        "filter" : {
          "term" : {
            "audit_category.keyword" : "INDEX_EVENT"
          }
        }
      }
    },
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "audit_category" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_cluster_name" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_format_version" : {
          "type" : "long"
        },
        "audit_node_host_address" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_node_host_name" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_node_id" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_node_name" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_request_effective_user" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_request_effective_user_is_admin" : {
          "type" : "boolean"
        },
        "audit_request_exception_stacktrace" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_request_layer" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_request_origin" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_request_privilege" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_request_remote_address" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_trace_indices" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_trace_resolved_indices" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_trace_task_id" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_trace_task_parent_id" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "audit_transport_headers" : {
          "properties" : {
            "_opendistro_security_initial_action_class_header" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "_opendistro_security_origin_header" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "_opendistro_security_remote_address_header" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "_opendistro_security_remotecn" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "_opendistro_security_user_header" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "_system_index_access_allowed" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            }
          }
        },
        "audit_transport_request_type" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
      }
    },
    "settings" : {
      "index" : {
        "creation_date" : "1682899202947",
        "number_of_shards" : "1",
        "number_of_replicas" : "1",
        "uuid" : "wNHTp1NTR0GuAWTuNcLAlA",
        "version" : {
          "created" : "136257827"
        },
        "provided_name" : "security-auditlog-2023.05.01"
      }
    }
  }
}