How to create a filter on 2 fields in an alias?

Question

I am looking to create an alias of an index that would retrieve information according to one of 2 filters. One or the other, an "OR" in fact.

For example:

PUT .internal.alerts-security.alerts-jse-000001/_alias/.alerts-security.alerts-global-overview {
  "filter": {
    "terms": {
      "data_stream.namespace": [
        "etu"
      ]
    }
  }  
}

or

PUT .internal.alerts-security.alerts-jse-000001/_alias/.alerts-security.alerts-global-overview {
  "filter": {
    "terms": {
      "agent.name": [
        "ec6b600226d0",
        "b26a7b13a8bd"
      ]
    }
  }
}

Thanks in advance for your help

score 1 · Accepted Answer · answered Mar 22 '22 at 14:39

Simply use a bool/should constraint between the two filters:

PUT .internal.alerts-security.alerts-jse-000001/_alias/.alerts-security.alerts-global-overview
{
  "filter": {
    "bool": {
      "minimum_should_match": 1,
      "should": [
        {
          "terms": {
            "agent.name": [
              "ec6b600226d0",
              "b26a7b13a8bd"
            ]
          }
        },
        {
          "terms": {
            "data_stream.namespace": [
              "etu"
            ]
          }
        }
      ]
    }
  }
}

How to create a filter on 2 fields in an alias?

1 Answers1