An index receives events which are reviewed by an internal team. Some events needs a new status - I consider that by adding a new field by using __eval__ command and adding it as a new event entity to index (in order to keep the history) by using __collect__ command:
index=source | ... | eval new_status="a new status" | collect index=source
but the new field is not kept and saved - is any workaround upon this?
↧