Reindex the database in Cortex XSOAR.
In some cases, you might need to reindex the entire database, if you encounter incorrect or partial data in Cortex XSOAR. Reindexing processes all data in the database and ensures it is fully available for searches in the Cortex XSOAR UI. If issues are only appearing related to a specific index (the indicators from December, for example), you can instead Reindex a Specific Index Database. Depending on the volume of the data in the system, it may take some time for the indexing to complete. We recommend consulting with Cortex XSOAR support before reindexing.
By default, indexing HTML, markdown, and long text fields, are set to 30,000 characters. If large fields are detected, only the first 30,000 characters are searchable. You can change this by adding the server.text.max.characters
server configuration and adding the amount of characters as required.
Increasing the amount of characters can decrease performance. Reducing the amount of characters, limits disk space consumption and increases performance.
Caution
If using Live Backup, the database must be reindexed on both the production and backup servers.
By default, audits are not reindexed. For more information, see Reindex the Audit Log.
After reindexing, all of your data should appear, such as incidents, playbooks, and automations. If there is data missing, follow the procedure in Reindex a Specific Index Database. If the problem persists, contact the Cortex XSOAR support team.
Stop the Cortex XSOAR service.
sudo service demisto stop
Back up the index directory (
/var/lib/demisto/data/demistoidx
).Note
The backup of the index directory should not be stored under
/var/lib/demisto
.Delete the index folder using the following command.
sudo rm -rf /var/lib/demisto/data/demistoidx
Start the Cortex XSOAR service.
sudo service demisto start
Log in to your Cortex XSOAR instance and verify that the reindex process was successful.