Archive Data with Elasticsearch

Archive Cortex XSOAR data you no longer need regular access to, using Elasticsearch index lifecycle management.
Cortex XSOAR supports archiving of partitioned data. Partitioned data is stored in indices on a monthly basis for easy archiving and accessibility. To free up disk space, you can create Elasticsearch snapshots of the relevant indices and then delete the indices. Elasticsearch supports index lifecycle management through the ILM API, to automatically manage indices retention and optimize old indices. You can set up an ILM policy through the Elasticsearch API or the Elasticsearch UI.
To manually archive older data we recommend deleting all indices for a specific month after creating a snapshot for that month. For example, to delete all January 2020 data, use the following API call:
DELETE *dmst-*_202001
.
This can be safely done at any given time without shutting down the Cortex XSOAR service. To restore archived data, follow the restore instructions for Elasticsearch backups.

Recommended For You