Hello, I used aliases a lot before. and in OpenSearch can’t make them working properly. Doesn’t matter what filter I put - I always see whole index.
1 Like
Wondering if anyone managed to resolve this issue? as also encountering this issue on Opensearch 2.4.0.
@samlo Could you share details of your scenario with examples?
@pablo sure, for an e.g. this is a filtered alias created on the security-auditlog index filtering.
POST _aliases
{
"actions": [
{
"add": {
"index": "security-auditlog-2023.05.01",
"alias": "security_index_event",
"filter": {
"term": {
"audit_category.keyword": "INDEX_EVENT"
}
}
}
}
]
}
This is the index mapping for the security-auditlog index
...
"audit_category" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
...
The expectation is that using the filtered alias to query should only return docs with "audit_category.keyword": "INDEX_EVENT". However, the filtered alias search result seems to be returning the entire unfiltered index.
@samlo I’ve tried to repro your issue but I couldn’t
I’ve used your API call to create an alias.
POST security_index_event/_search
{
"size": 1,
"docvalue_fields": ["audit_category.keyword"],
"stored_fields": [],
"query": {
"bool": {
"filter": [
{
"term": {
"audit_category.keyword": "FAILED_LOGIN"
}
}
]
}
}
}
{
"took" : 6,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 0,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
}
}
When I change the category to INDEX_EVENT, I get the below output.
{
"took" : 8,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 76,
"relation" : "eq"
},
"max_score" : 0.0,
"hits" : [
{
"_index" : "security-auditlog-2023.07.18",
"_id" : "fDxdaIkBk65FlbL_-UyZ",
"_score" : 0.0,
"fields" : {
"audit_category.keyword" : [
"INDEX_EVENT"
]
}
}
]
}
}
@samlo Could you run the below queries and share the outputs?
GET security-auditlog-2023.07.18/_search
{
"size": 0,
"aggs": {
"audit_category": {
"terms": {
"field": "audit_category.keyword"
}
}
}
}
GET security_index_event/_search
{
"size": 0,
"aggs": {
"audit_category": {
"terms": {
"field": "audit_category.keyword"
}
}
}
}
These are the outputs:
# GET security-auditlog-2023.07.18/_search
{
"took" : 14,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 5671,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"audit_category" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "INDEX_EVENT",
"doc_count" : 5296
},
{
"key" : "SSL_EXCEPTION",
"doc_count" : 375
}
]
}
}
}
# GET security_index_event/_search
{
"took" : 10,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 4354,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"audit_category" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "INDEX_EVENT",
"doc_count" : 3860
},
{
"key" : "SSL_EXCEPTION",
"doc_count" : 494
}
]
}
}
}
@samlo The aggregation queries show that your filter in the alias doesn’t work.
Would you mind sharing the output of the below API call?
GET security_index_event
@pablo this is the output of GET security_index_event
{
"security-auditlog-2023.05.01" : {
"aliases" : {
"security_index_event" : {
"filter" : {
"term" : {
"audit_category.keyword" : "INDEX_EVENT"
}
}
}
},
"mappings" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"audit_category" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_cluster_name" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_format_version" : {
"type" : "long"
},
"audit_node_host_address" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_node_host_name" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_node_id" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_node_name" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_request_effective_user" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_request_effective_user_is_admin" : {
"type" : "boolean"
},
"audit_request_exception_stacktrace" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_request_layer" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_request_origin" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_request_privilege" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_request_remote_address" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_trace_indices" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_trace_resolved_indices" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_trace_task_id" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_trace_task_parent_id" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"audit_transport_headers" : {
"properties" : {
"_opendistro_security_initial_action_class_header" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"_opendistro_security_origin_header" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"_opendistro_security_remote_address_header" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"_opendistro_security_remotecn" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"_opendistro_security_user_header" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"_system_index_access_allowed" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"audit_transport_request_type" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"settings" : {
"index" : {
"creation_date" : "1682899202947",
"number_of_shards" : "1",
"number_of_replicas" : "1",
"uuid" : "wNHTp1NTR0GuAWTuNcLAlA",
"version" : {
"created" : "136257827"
},
"provided_name" : "security-auditlog-2023.05.01"
}
}
}
}