KQL in alerts

anonymous

Is there a way to specify the syntax(KQL or Lucene) to use in alerts?

SzymonC

Hi,

Alert use Lucene syntax only. I mean, to be precise - alerts use Query DSL, which uses Lucene. So if Lucene is to basic, you can always expand with other DSL structure. The query_string statement is just a option in query DSL. Similar to this: https://opensearch.org/docs/latest/query-dsl/full-text/query-string/

More about DSL: https://opensearch.org/docs/latest/query-dsl