I am looking to create an alias of an index that would retrieve information according to one of 2 filters. One or the other, an "OR" in fact.
For example:
PUT .internal.alerts-security.alerts-jse-000001/_alias/.alerts-security.alerts-global-overview {
"filter": {
"terms": {
"data_stream.namespace": [
"etu"
]
}
}
}
or
PUT .internal.alerts-security.alerts-jse-000001/_alias/.alerts-security.alerts-global-overview {
"filter": {
"terms": {
"agent.name": [
"ec6b600226d0",
"b26a7b13a8bd"
]
}
}
}
Thanks in advance for your help
Simply use a bool/should constraint between the two filters:
PUT .internal.alerts-security.alerts-jse-000001/_alias/.alerts-security.alerts-global-overview
{
"filter": {
"bool": {
"minimum_should_match": 1,
"should": [
{
"terms": {
"agent.name": [
"ec6b600226d0",
"b26a7b13a8bd"
]
}
},
{
"terms": {
"data_stream.namespace": [
"etu"
]
}
}
]
}
}
}