Wazuh Dev Tools vs OpenSearch Dev Tools for aggregation queries

[inzaky kazai]

Hi, I'm trying to run an aggregation query against wazuh-alerts-4.x-* indices to build daily reports. The query works fine in the OpenSearch Dev Tools (/app/dev_tools#/console) but not in the Wazuh Dev Tools (/app/dev-tools#/wazuh-dev). Is this expected behavior since Wazuh Dev Tools only targets the Wazuh API and not OpenSearch indices directly?

[Olamilekan Abdullateef Ajani]

Hello,

The Wazuh API has no concept of OpenSearch indices. When you paste a POST /wazuh-alerts-4.x-*/_search query into the Wazuh Dev Tools, it tries to send that to localhost:55000, where the Wazuh manager has no idea what to do with it.

The right place for index aggregation queries is to use the Wazuh indexer API from the Wazuh dashboard and navigate to Index Management > Dev Tools. That console posts directly to port 9200 (the OpenSearch/Wazuh Indexer API), and is equivalent to the OpenSearch Dev Tools console.
Wazuh stores triggered alerts in the wazuh-alerts* index in the Wazuh indexer. You can use the Wazuh indexer API to query the alerts via the _search endpoint to search through all alerts in the index and aggregate fields.

Please let me know if you require further clarification on this.

Regards,

[inzaky kazai]

Hello,

I tested it and it works fine now.

Thank you for the clarification. I understand now why the query works in Index Management > Dev Tools and not in the Wazuh Dev Tools.

Best regards,