Reindex the Entire Database - Administrator Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Reindex the database in Cortex XSOAR. Reindexing data managing

In some cases, you might need to reindex the entire database, if you encounter incorrect or partial data in Cortex XSOAR. Reindexing processes all data in the database and ensures it is fully available for searches in the Cortex XSOAR UI. If issues are only appearing related to a specific index (the indicators from December, for example), you can instead Reindex a Specific Index Database. Depending on the volume of the data in the system, it may take some time for the indexing to complete. We recommend consulting with Cortex XSOAR support before reindexing.

By default, indexing HTML, markdown, and long text fields, are set to 30,000 characters. If large fields are detected, only the first 30,000 characters are searchable. You can change this by adding the server.text.max.characters server configuration and adding the amount of characters as required.

Increasing the amount of characters can decrease performance. Reducing the amount of characters, limits disk space consumption and increases performance.

Caution

  • If using Live Backup, the database must be reindexed on both the production and backup servers.

  • By default, audits are not reindexed. See Reindex the Audit Log for instructions.

  • After reindexing, all of your data should appear, such as incidents, playbooks, and automations. If there is data missing, following the procedure in Reindex a Specific Index Database. If the problem persists, contact the Cortex XSOAR support team.

  1. Stop the Cortex XSOAR service.

    sudo service demisto stop

  2. Backup the index directory (/var/lib/demisto/data/demistoidx).

    Note

    The backup of the index directory should not be stored under /var/lib/demisto.

  3. Delete the index folder using the following command.

    sudo rm -rf /var/lib/demisto/data/demistoidx

  4. Start the Cortex XSOAR service.

    sudo service demisto start

  5. Log in to your Cortex XSOAR instance and verify that the reindex process was successful.