Index War Room Entries

Log in to your Cortex XSOAR server as root or an account with sudo privileges.
Stop the Cortex XSOAR service:
systemctl stop demisto
Make a backup copy of your demisto.conf file:
cp /etc/demisto.conf /etc/demisto.conf.bak
Edit the
/etc/demisto.conf
file for all databases by adding the entries in the following format:
"server.entries.restore": true,
"db.index.entry.disable": false,
"DB": {
    "IndexEntryContent": true
},
"granular": {
    "index": {
        "entries": 7
   }
}
The
granular.index.entries
total value is 7, which is split as to:
1: notes
2: chats
4: pinned as evidence
You can choose one of the values separately, or add them together for all values. For example, 7 is the total of 1 (notes) + 2 (chats) + 4 (pinned as evidence).
Save the file.
We recommend you validate JSON changes before committing them.
Go to
Settings
About
Troubleshooting
and add the following Server Configuration:
Key	Value
DB.IndexEntryContent	true
Delete the relevant War Room entries index on all databases by running the following command on each database machine:
rm -rf /var/lib/demisto/data/demistoidx/entries_MMYYYY
For example, to delete March 2020, run:
rm -rf /var/lib/demisto/data/demistoidx/entries_032020
To add indexing for additional months, run the same command for each month, but change the date in the command, after "entries_". Adding months may cause re-indexing to take longer depending on the number of cases in the system.
Start Cortex XSOAR from the command line by running one or more of the following commands:
For the current month:
# sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_MMYYYY
For example, to re-index March 2020, run:
sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_032020
For multiple months, add the dates as CSV values:
sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_MMYYYY,entries_MMYYYY,entries_MMYYYY
For example, to re-index January, February, March 2020, run:
sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_032020,entries_022020,entries_012020
A number of entries related to indexing appear, similar to below:
 2019-03-21 19:00:45.651 info DB restoring 419 keys into index entries from
								investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1330)

								2019-03-21 19:00:45.6649 info entry DB put in batch 78 index entries from
								investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)

								2019-03-21 19:00:46.4385 info entry DB put in batch 100 index entries from
								investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)

								2019-03-21 19:00:47.0948 info entry DB put in batch 100 index entries from
								investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)

								2019-03-21 19:00:47.8588 info entry DB put in batch 100 index entries from
								investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)

								2019-03-21 19:00:48.6046 info entry DB put in batch 41 index entries from
								investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)

								2019-03-21 19:00:48.6047 info DB restore into [entries] [investigations-264]
								[] completed (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1371)

								When the re-indexing has completed, the above console messages cease and
								Demisto runs automatically.
							
Confirm that you can search your case comments through the search bar.

Stop the service by using CTRL-C as the Cortex XSOAR server is running locally from the command line.
Start Cortex XSOAR by running the following command:
systemctl start demisto