Archive Cortex XSOAR data you no longer need regular
access to, using Elasticsearch index lifecycle management.
Cortex XSOAR supports archiving of partitioned
data. Partitioned data is stored in indices on a monthly basis for
easy archiving and accessibility. To free up disk space, you can
create Elasticsearch snapshots of the relevant indices and then
delete the indices. Elasticsearch supports index lifecycle management
through the ILM API, to automatically manage indices retention and
optimize old indices. You can set up an ILM policy through
the Elasticsearch API or the Elasticsearch UI.
archive older data we recommend deleting all indices for a specific month
after creating a snapshot for that month. For example, to delete
all January 2020 data, use the following API call:
can be safely done at any given time without shutting down the Cortex XSOAR
service. To restore archived data, follow the restore instructions
for Elasticsearch backups.