I use the inbuilt ES notables and incidents for creating the tickets for team to work on the issues. All the tickets are saved in separate index=notable, however the issue is that the drill down events of these notables are not saved separately. Drill down search runs on normal indexes such as windows/unix etc with shorter retention periods. Sometimes, I need those drill down events for research purpose, then i need to unfreeze the whole bucket to get one event of appropriate data. I want to create a new index which will store drill down events for all the notables raised automatically and then I can adjust its retention period as per my need. Kindly advise.
... View more