I want to use a log aggregation system to gather a lot of logs, and then build dashboards on them (metrics mainly, e.g. num 4XX errors, num 5XX errors).

I don’t want the retention on the source raw logs to be long (maybe 5 days), but i want a historic database of the values of these metrics (e.g. num 4XX errors graphed for last 6 months).

Is this possible? any pointers will be useful.



You can create two index sets: one for the raw data and one for calculated metrics. Then set different retention settings for them.

