Index War Room Entries in a Multi-Tenant Deployment
Index Cortex XSOAR War Room entries to ensure that you
can search for them in the Search Incidents. Re-index incidents
for selected months.
By default, Cortex XSOAR does not index notes,
chats, and pinned as evidence entries from incident War Rooms and
it is not possible to find these entries in the Search Incidents
bar. Use this procedure to index these entries, which also re-indexes
incidents for selected months.
Depending on the number
of cases in your system and server hardware, the re-indexing operation
can take a significant amount of time, during which the Cortex XSOAR
server is inaccessible. It is recommended to undertake this procedure
when it has a minimal impact on your organization. After completion,
you should review your Cortex XSOAR server, as it may have some
impact on performance.
You can choose one of the values separately,
or add them together for all values. For example, 7 is the total
of 1 (notes) + 2 (chats) + 4 (pinned as evidence).
Save the file.
We recommend you validate JSON changes before committing them.
Delete the relevant War Room entries index on all databases
by running the following command on each database machine:
rm- rf /var/lib/demisto/tenants/acc_
example, to delete March 2020, run the following command:
rm -rf /var/lib/demisto/tenants/acc_
add indexing for additional months, run the same command for each
month, but change the date in the command, after "entries_". Adding
months may cause re-indexing to take longer depending on the number
of cases in the system.
Start the tenant process:
the tenant account, and click
In the field
Additional arguments for tenant start
specify which month(s) you want to re-index. For example, to re-index
March 2020, enter
For multiple months, use comma separated values. For example,