Behavioral bug between the terms_enum and terms_agg for the KQL bar.

behavioral_bug_aggs_terms.json

# New behavior which does NOT allow us to use "-*elastic-cloud-logs-*" if it does not exist
# to subtract. Instead this blows up with a 404 error which causes a cascading 500 internal server error
POST /auditbeat-*,filebeat-*,logs-*,winlogbeat-*,-*elastic-cloud-logs-*/_terms_enum
{
  "field": "host.name",
  "string": "",
  "index_filter": {
    "bool": {
      "must": [
        {
          "terms": {
            "_tier": [
              "data_hot",
              "data_warm",
              "data_content",
              "data_cold"
            ]
          }
        }
      ]
    }
  }
}

# error returned is:
{
  "error" : {
    "root_cause" : [
      {
        "type" : "index_not_found_exception",
        "reason" : "no such index [*elastic-cloud-logs-*]",
        "index_uuid" : "_na_",
        "index" : "*elastic-cloud-logs-*"
      }
    ],
    "type" : "index_not_found_exception",
    "reason" : "no such index [*elastic-cloud-logs-*]",
    "index_uuid" : "_na_",
    "index" : "*elastic-cloud-logs-*"
  },
  "status" : 404
}


# Older terms_aggs behavior which allows us to use "-*elastic-cloud-logs-*" if it does not exist to subtract.
# However it will not allow non-existent indexes if they are not prefixed with a dash
GET /auditbeat-*,filebeat-*,logs-*,winlogbeat-*,-*elastic-cloud-logs-*/_search
{
  "size": 0,
  "timeout": "1000ms",
  "terminate_after": 100000,
  "query": {
    "bool": {
      "filter": []
    }
  },
  "aggs": {
    "suggestions": {
      "terms": {
        "field": "host.name",
        "include": ".*",
        "execution_hint": "map",
        "shard_size": 10
      }
    }
  }
}