We've had an incident on an endpoint that has resulted in some very interesting events logged in LME. We'd like to report/export on all these events before the retention policy sweeps it all away. Is there a nice way to export all ~9000 events I see in the Events tab of a host, with each events linked details to HTML, so they can be browsed and expanded as if you were in LME looking at live data?

OR exclude this section of log from the retention policy. mark is as persistent?

Hello,

I haven't personally tried it so your mileage may vary, however elasticsearch-dump appears to have the capability to save off data based on a query.

Closed due to project archive