We are trying to track down an issue that we believe is associated with incorrect time stamps from some network devices. When we do a default search for the past 5 minutes, it shows that it queried 4 to 5 different indices, several in which are days old. we have elastic set to rotate indices at 28GB, which results in about 3 indices a day.
Also when we goto the indices page, the second index listed says “contains messages from 12 days ago up to in 4 hours”
If search of a single index is not possible, would I be able to make a copy of an index, then create a new index set and rename the copied index to match the index set prefix?