K
Q

save results of kibana query in new index

2/11/2020

Working with kibana, my team has developed the need to keep a tiny subset of our logs for 5 years (specifically, all logs that have an alert field). Does anyone have an idea how to do this?

We're deleting our logs after 7 days, which is taken care of by the ilm policy we set on our indices. We want to keep this ilm policy, but the small subset needs to be saved for longer.

Our setup: We run on kubernetes (1.15.x), run filebeat (7.5.0) on that kubernetes cluster, which sends (and lightly parses) our logs to an index (let's call it log_index) to Elastic Cloud (7.5.0) and we display those with Kibana (cloud).

Conceptually, I would like to export the results of our query for alerts on the log_index index to a specific new index (say, alert_index) and setup ilm for that to keep that index for 5 year. But I don't really know if that is possible or even makes sense. Any inspiration is welcome!

-- L de Pudo
filebeat
kibana-7
kubernetes
logging

Similar Questions

Kubernetes -> Memory consumption per namespace
kubernetes batch restart all namespace pod to make new config map config works
Kubernetes- Tolerations : node.kubernetes.io/unreachable:NoExecute for 300s
Set proxy as an environment variable in Helm 3

0 Answers