Dashboards Alerting doesn't support remote cross-search clusters

Hello. I have a multi-cluster design, where the clusters have cross-search configurations to search each other.
When trying to follow the Create Monitor dialog in the Alerting feature of Opensearch Dashboards, I’m finding it’s not possible to enter any of the remote Index Patterns in the Index field (under Data Source).

For example, local-index-family-* seems to work, but…
os4:another-index-family-* does not.
(Even though os4:another-index-family-* is a working Index Pattern and is usable under the Discover feature.).

Am I doing this wrong, or is Alerting not supported for cross-search clusters?

Moved to the Alerting category

Hey @mhoydis,

Alerting currently does not support cross-cluster search. This enhancement is being tracked in this GitHub issue.

1 Like

I’m posting a follow up on this as I’ve been looking at this and have posted an update in https://github.com/opensearch-project/alerting/issues/207

Versions: opendistro elasticsearch: 1.13.3 and opendistro kibana: 1.13.2 - but looking to migrate to OpenSearch shortly.

I have a working cross cluster search index pattern :*filebeat-* which covers two remote clusters. This can be queried in the ‘Discover’ tab.

Error from the calling cluster:

Caused by: org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:data/read/search] and User [name=plugin, backend_roles=[], requestedTenant=null]

Error on the remote cluster:

[2022-05-31T10:50:54,422][INFO ][c.a.o.s.p.PrivilegesEvaluator] [remote-cluster] No index-level perm match for User [name=plugin, backend_roles=[], requestedTenant=null] Resolved [aliases=[], allIndices=[filebeat-2022.05.28, filebeat-2022.05.26, filebeat-2022.05.29, filebeat-2022.05.27, filebeat-2022.05.31, filebeat-2022.05.30, filebeat-2022.05.25], types=[*], originalRequested=[filebeat-*], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [own_index]]

[2022-05-31T10:50:54,422][INFO ][c.a.o.s.p.PrivilegesEvaluator] [remote-cluster] No permissions for [indices:data/read/search]

My first response was to try and add the missing permission to the User plugin - only that user doesn’t exist as an internal user that I can see, and given it’s name I am assuming is something that plugins use internally.

Can anyone shed any light on this - perhaps this is more a Security topic.

Can anyone suggest or think of a workaround here that will allow users to define alerts through the UI. Perhaps this is fixed in the most recently OpenSearch released (which I am in the process of installing myself).

Thanks, Will.