Hello, I've setup an infrastructure with a central Elastic cluster and other remote connected using "Remote clusters" feature.
When I create detection rules I set the index pattern like :filebeat to match events also from remote cluster.
What about one of this goes offline temporarily?
I saw a failure on rule like that: Bulk Indexing of signals failed: {"error":{"root_cause":[{"type":"connect_transport_exception","reason":"[192.168.1.199:9300] connect_exception"}],.....
and seems rules isn't working anymore.
Is there a way to run the rule using the connected clusters and ignore the offline ones? I don't want to have all rules stopped until a remote cluster come back online.
Thanks
Enrico