Storing raw events in a summary index
Sometimes it is desirable to copy events to another index. I have seen a couple of reasons for doing this, namely:
- Differing retention: If some special events need to be kept indefinitely, but the index where they are initially captured rolls off after some period of time, they can be captured into a summary index
- Enrichment: Sometimes the enrichment of data is too expensive to happen with every query, or it is important to capture events with the values from a lookup as the values existed at a particular point in time
The process is essentially the same as creating any summary index events. Follow these steps:
- Create a populating query.
- Add interesting fields using the
- Add a
search_name field to ...