Global saved queries that can be imported throughout OpenSearch

[spurrw]

Is your feature request related to a problem? Please describe. In my OpenSearch setup I have lots of saved Discover searches and saved Alerting monitors with query segments that are duplicated between them. For example, I frequently want to filter for logs sent by computers with a specific pattern in their DNS name. To do this I'll have a query segment that I reuse (copy/paste) between all the saved searches and monitors that require it. That works, but if I need to modify this query segment I need to modify it in lots of places manually.

Describe the solution you'd like It'd be really nice to have a global/centralized store where you can create queries or segments of queries that can be called and imported into other queries you create. Here's an example of how it could appear to users:

In the global store where you create savable/callable queries or query segments: "saved_queries": [ "hostname_filter_1": { "script": { "script": { "source": "if (doc['logsource.keyword'].size() > 0) {if (doc['logsource.keyword'].value.toLowerCase().startsWith('computers-I-want') && doc['logsource.keyword'].value.toLowerCase().endsWith('.my.domain.com')) {return true;}}" } } }. "another_saved_query": { ... }, etc... ]

In another query where you want to use that query segment: "query": { "bool": { "filter": [ { "saved_query": "hostname_filter_1" }, { "range": { "@timestamp": { "gte": "now-1h", "lte": "now", "format": "epoch_millis" } } } ] } }

The saved global query could get imported into other queries on-the-fly. If I wanted to modify one of my re-used queries I'd only need to change it one place.

Describe alternatives you've considered I don't know of any alternatives other than copy/pasting query segments around that I re-use. If there is already something like that please let me know!