I agree that it would significantly slow down all aspects of the Elasticstack. Most of my indices contain a date/time field for when the event occurred, but how would I use that in the elasticsearch index, can you give me an example?
If I have an event with a timefield of 8/20/2019 15:30:45, how do I get the Elasticsearch output's index option to look at just the monthly/weekly value, using mutate and gsub?
Another problem I see with this is that one of my indices grows about 10 million events per day and controlling it by size using rollover and ILM seems to be working well but with this method, size control is lost. Is there a way to account for something like that?