Hello,
Using Securityonion's 'advanced clustering' which means us managing it's cluster.
Our delete time is set to 15 days for our so-* indices.
If I want to stop specific index: so-zeek-11232022 from being deleted after 15 days, how would I do that.
My only solution that I know how to do, is set the deletion times to super long, then just manually delete and manage the indices.
Any advice? Thank you
Welcome to our community! 
There's no way to exclude an index that is part of an ILM policy. You could clone the index to a new name to keep it though.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.