Reindex the database in Cortex XSOAR.
In some cases, you might need to reindex the entire database, if you encounter incorrect or partial data in Cortex XSOAR. Reindexing processes all data in the database and ensures it is fully available for searches in the Cortex XSOAR UI. If issues are only appearing related to a specific index (the indicators from December, for example), you can instead Reindex a Specific Index Database. Depending on the volume of the data in the system, it may take some time for the indexing to complete. We recommend consulting with Cortex XSOAR support before reindexing.
By default, indexing HTML, markdown, and long text fields, are set to 30,000 characters. If large fields are detected, only the first 30,000 characters are searchable. You can change this by adding the server.text.max.characters
server configuration and adding the amount of characters as required.
Increasing the amount of characters can decrease performance. Reducing the amount of characters, limits disk space consumption and increases performance.
Note
If using Live Backup, the database must be reindexed on both the production and backup servers.
Note
By default, audits are not reindexed. See Reindex the Audit Log for instructions.
Stop the Cortex XSOAR service.
sudo service demisto stop
Backup the index directory (
/var/lib/demisto/data/demistoidx
).Note
The backup of the index directory should not be stored under
/var/lib/demisto
.Delete the index folder using the following command.
sudo rm -rf /var/lib/demisto/data/demistoidx
Start the Cortex XSOAR service.
sudo service demisto start
Log in to your Cortex XSOAR instance and verify that the reindex process was successful.
All of your data should appear, for example, incidents, playbooks, automations, and so on. If there is a problem, contact the Cortex XSOAR support team.