We intent to keep data for a year for archive purposes.
Based on the statistics saying on average it takes half a year to discover you have been hacked. We intent therefore to keep data for a year so we are better able to respond to the GDPR needs of 72 hours report back time in case of a data breach.
Now since we only need this for arching and we intent only to look back live for 1 month. Then in order not to stress the system to much, wouldn’t it be wise to set indices rotation to P1M with a Max number of indices of 12.
That way each index would hold 1 month of data which would give us a faster search time but we will be able to go back a year if need be.
is this assumption correct?