Elasticsearch: Alternative to using filtered aliases

Question

I'm trying to figure out possible solution to the following problem. In my current implementation I'm relying on so called filtered aliases where I can create a view of the same index for each user e.g.:

POST /aliases { "actions": "add": { "index": "events", "alias": "events_123", "filter": { "match": { "user_id": "123" } } } }

All my write/read api calls are using aliases instead of the index name. Unfortunately, I cannot use filtered aliases anymore due to the recent changes related to introduction of index per day pattern managed by an external component. Is there a simple (or not so simple) way to provide my user_id filter as a parameter to a rest api call. For example, if I had a POST /events*/_search {...} request, would it be possible to add a filter without the need to modify the search query itself?

Answer 1

You can keep using filtered aliases — the index can also include a wildcard. Not sure what your index structure looks like, but something like this will work:

POST /aliases
{
  "actions": {
    "add": {
      "index": "events*",
      "alias": "events_123",
      "filter": {
        "match": {
          "user_id": "123"
        }
      }
    }
  }
}

If you keep adding indices over time, the alias needs to be applied through an index template (documentation) — this is for example how the Beats do it:

PUT _template/events
{
  "index_patterns": ["events_*"],
  "aliases": {
    "events_123": {
      "filter": {
        "match": {
          "user_id": "123"
        }
      }
    }
  }
}

PS: You can have a list of aliases, but I only added a single one to keep it simple.