Is there a way to specify the syntax(KQL or Lucene) to use in alerts?
Hi,
Alert use Lucene syntax only. I mean, to be precise - alerts use Query DSL, which uses Lucene. So if Lucene is to basic, you can always expand with other DSL structure. The query_string statement is just a option in query DSL. Similar to this: https://opensearch.org/docs/latest/query-dsl/full-text/query-string/
query_string
More about DSL: https://opensearch.org/docs/latest/query-dsl
