[BUG] The provided expression matches an alias, specify the corresponding concrete indices instead.

[mmguero]

What is the bug?
When creating a detector based on the Network ruleset, using an index alias as is described in the mappings API documentation and the UI itself, the dashboards' logs gives this error:

Security Analytics - IndexService - createAliases: StatusCodeError: [illegal_argument_exception] The provided expression [malcolm_network] matches an alias, specify the corresponding concrete indices instead.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Have an index template defined for an index pattern that also associates an alias
   
   
2. Have documents indexed to indexes matching that index pattern (in my case, it's Zeek logs)
3. Navigate to Create Security Detector
4. Give it a name
5. Select the alias described in step 1 for Select Indexes/aliases where it says "Aliases and data streams are recommended for optimal functioning of detectors."
6. Set up mappings if needed
7. Click next
8. Create a trigger with the default settings
9. Click Create detector
10. Wait a moment for the detector to be created
11. Observe debug logs from Logstash:

Security Analytics - IndexService - createAliases: StatusCodeError: [illegal_argument_exception] The provided expression [malcolm_network] matches an alias, specify the corresponding concrete indices instead.
    at respond (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/usr/share/opensearch-dashboards/node_modules/lodash/lodash.js:4991:19)
    at IncomingMessage.emit (node:events:529:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1400:12)
    at processTicksAndRejections (node:internal/process/task_queues:82:21) {
  status: 400,
  displayName: 'BadRequest',
  path: '/_aliases',
  query: {},
  body: {
    error: {
      root_cause: [Array],
      type: 'illegal_argument_exception',
      reason: 'The provided expression [malcolm_network] matches an alias, specify the corresponding concrete indices instead.'
    },
    status: 400
  },
  statusCode: 400,
  response: '{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"The provided expression [malcolm_network] matches an alias, specify the corresponding concrete indices instead."}],"type":"illegal_argument_exception","reason":"The provided expression [malcolm_network] matches an alias, specify the corresponding concrete indices instead."},"status":400}',
  toString: [Function (anonymous)],
  toJSON: [Function (anonymous)]
}

Why is it complaining that "The provided expression [malcolm_network] matches an alias, specify the corresponding concrete indices instead."? The documentation and UI itself clearly says I should be using an alias.

What is your host/environment?

• OS: Linux x86_64 with the OpenSearch Docker image with minor modifications
• Version: v2.19.0
• Plugins: Standard plugins installed in the Docker image minus opensearch security and opensearch-performance-analyzer

[cwperks]

@mmguero I'm not an expert in this plugin (my expertise is in the security plugin), but I think that error indicates that the alias already exists. Its coming from here. The API to create and update an alias are the same and since it already exists I think its hitting this code block.

More code refs:

1. Where aliasOrIndexExists is used - My understanding is that it returns false when update alias API is called based on the comment in the code - tbh not sure why
2. The exception is thrown here

I only took a really cursory glance so I can't say anything for certain except that the error is coming from the IndexNameExpressionResolver in core.