Multi-Data Source

One of the core advantages of OpenSearch UI is the ability to connect multiple OpenSearch domains and serverless collections to a single application. This lets you query, visualize, and correlate data across different backends without switching between tools.

How multi-data source works

An OpenSearch UI application acts as a unified frontend. Behind the scenes, each data source maintains its own indices, cluster settings, and access policies. The application routes queries to the appropriate backend based on which data source an index pattern is associated with.

┌─────────────────────────────────────────┐
│          OpenSearch UI Application       │
│                                         │
│  ┌──────────┐  ┌──────────┐  ┌────────┐│
│  │Workspace │  │Workspace │  │Workspace││
│  │  (Obs)   │  │  (Sec)   │  │(Search)││
│  └────┬─────┘  └────┬─────┘  └───┬────┘│
└───────┼──────────────┼────────────┼─────┘
        │              │            │
   ┌────▼────┐   ┌─────▼────┐  ┌───▼──────┐
   │ Domain  │   │ Domain   │  │Serverless│
   │ (logs)  │   │ (siem)   │  │Collection│
   └─────────┘   └──────────┘  └──────────┘

Associating multiple data sources

Via the console

Open the Amazon OpenSearch Service console
Navigate to OpenSearch UI (Dashboards)
Select your application
Choose the Data sources tab
Click Manage data sources
Select all the domains and collections you want to associate
Click Save

Via the CLI

aws opensearch update-application \
    --id app-abc123def456 \
    --region us-east-1 \
    --data-sources '[
      {
        "dataSourceArn": "arn:aws:es:us-east-1:123456789012:domain/logs-domain",
        "dataSourceDescription": "Application and infrastructure logs"
      },
      {
        "dataSourceArn": "arn:aws:es:us-east-1:123456789012:domain/apm-domain",
        "dataSourceDescription": "APM traces and metrics"
      },
      {
        "dataSourceArn": "arn:aws:aoss:us-east-1:123456789012:collection/search-col",
        "dataSourceDescription": "Product search collection"
      },
      {
        "dataSourceArn": "arn:aws:es:us-east-1:123456789012:domain/siem-domain",
        "dataSourceDescription": "Security event data"
      }
    ]'

The update-application API replaces the entire data source list. Always include all data sources you want to keep.

Supported data source combinations

You can mix and match different types of data sources:

Data Source Type	Max per Application	Notes
OpenSearch managed domains	No hard limit	Same or cross-account
OpenSearch Serverless collections	No hard limit	Requires network policy for VPC
Direct query (S3)	Configured per domain	Requires Glue catalog
Direct query (CloudWatch)	Configured per domain	Configured inside UI
Direct query (Security Lake)	Configured per domain	Configured inside UI

Creating index patterns across data sources

When you have multiple data sources, each index pattern is tied to a specific data source. This is how OpenSearch UI knows where to route queries.

Creating an index pattern

Inside a workspace, navigate to Dashboards Management → Index Patterns
Click Create index pattern
Select the data source from the dropdown
Enter the index pattern (e.g., logs-*, traces-*)
Choose the time field (if applicable)
Click Create

Example: multiple index patterns from different sources

Index Pattern	Data Source	Purpose
`app-logs-*`	logs-domain	Application log data
`traces-*`	apm-domain	Distributed tracing data
`products`	search-collection	Product catalog
`security-events-*`	siem-domain	Security event logs

Querying across data sources

Within a single workspace

Each query in Discover or a visualization targets a single index pattern (and therefore a single data source). To see data from multiple sources side by side, create a dashboard with visualizations that each point to different index patterns.

Using PPL with specific data sources

When using PPL in the Observability workspace, specify the index from the appropriate data source:

# Query logs from the logs-domain
source = app-logs-2025.06
| where level = 'ERROR'
| stats count() by service_name
 
# Query traces from the apm-domain
source = traces-2025.06
| where duration > 5000
| stats avg(duration) as avg_duration by service_name

Cross-source correlation

While you can't join data across data sources in a single query, you can correlate data by:

Creating visualizations from each data source
Placing them on the same dashboard
Using the global time picker to align time ranges
Using dashboard filters that apply to all visualizations

Workspace-level data source scoping

Not every workspace needs access to every data source. Scope data sources per workspace to keep things clean:

Application data sources: [logs-domain, apm-domain, siem-domain, search-collection]
 
Observability workspace → [logs-domain, apm-domain]
Security workspace     → [siem-domain]
Search workspace       → [search-collection]
Analytics workspace    → [all data sources]

This is configured in Workspace settings → Data sources.

Managing data source health

The OpenSearch UI shows the health status of each associated data source:

Status	Meaning	Action
Green	Healthy, all shards allocated	No action needed
Yellow	Healthy, but replica shards not allocated	Check domain configuration
Red	Unhealthy, some primary shards unavailable	Investigate domain health
Unavailable	Cannot connect to the data source	Check VPC access, permissions

View data source health from Dashboards Management → Data Sources within any workspace.

Limitations

No cross-source joins — You cannot join data from two different data sources in a single query. Use dashboards to correlate visually.
Index pattern per source — Each index pattern is tied to one data source. You cannot create a single index pattern that spans multiple domains.
Engine version differences — If your domains run different OpenSearch versions, some features may not be available on older domains.
Serverless query limits — Serverless collections have different query limits (OCU-based) compared to managed domains.
Direct query performance — Queries against S3 or CloudWatch via direct query are slower than queries against indexed data on a domain.

Troubleshooting

Data source not appearing in workspace settings

Verify the data source is associated at the application level
Check that the data source is in Active state
Refresh the page — newly associated data sources may take a moment to appear

"Index not found" when querying

Ensure the index pattern is created against the correct data source
Verify the index exists on the target domain
Check that the workspace has access to the data source containing the index

Slow queries on one data source

Check the domain's CloudWatch metrics for resource utilization
Serverless collections may need higher OCU capacity
Direct query sources (S3, CloudWatch) are inherently slower — consider indexing frequently queried data

Mixed version behavior

If one domain runs OpenSearch 2.11 and another runs 2.17, features like PPL enhancements may only work on the newer domain
Check the engine version in the domain details to understand feature availability