Support date math in index names

[adityaj1107]

Issue by smowky
Wednesday Sep 23, 2020 at 10:05 GMT
Originally opened as opendistro-for-elasticsearch/alerting#254

---

Is your feature request related to a problem? Please describe.
I’m using elasticsearch ILM to rotate my indexes and now alerts are searching through all indexes metricbeat-* which is quite expensive operation.
It would be nice to have a possibility to search only for last 2 day indexes instead

Describe the solution you'd like
Would be nice define search index as:
<logstash-{now/d-2d}>,<logstash-{now/d-1d}>,<logstash-{now/d}>
or
%3Clogstash-%7Bnow%2Fd-2d%7D%3E%2C%3Clogstash-%7Bnow%2Fd-1d%7D%3E%2C%3Clogstash-%7Bnow%2Fd%7D%3E

Describe alternatives you've considered
Alternative solutions is using aliases , which is be default not as easy since elasticsearch ILM actions does not have a possibility do add/remove alias

[adityaj1107]

Hi @smowky

We have added the support for the Date Math Index Name support via API. Please use this documentation to create monitors via API calls to the cluster endpoint. You can provide date math index pattern as specified in the documentation here. Please note that special % encoding for the date math characters is not required while listing the indices for the search query in the monitor.

The support for validation of date math encoding in the OSD dashboards is tracked as a part of this issue. opensearch-project/alerting-dashboards-plugin#17

Sample Indices and Monitors for your reference.

Resolving this issue as no support is required here. Feel free to open if any further questions.