Re-indexing

When changes are made to the data schema, it becomes necessary to re-index data to reflect these changes. Existing data may not match the updated schema without re-indexing, leading to data inconsistencies or errors during queries. Re-indexing lets you copy all or a subset of your data from a source index into a destination index.

To re-index an existing index, perform the following steps on either the ThreatLockDown dashboard or the ThreatLockDown server.

ThreatLockDown dashboard

  1. Click on the upper left menu and go to Indexer/dashboard management > Dev Tools.

  2. Enter the following API call, replacing my-source-index with the source index pattern and my-destination-index with the destination index pattern.

    POST /_reindex
    {
       "source":{
          "index":"my-source-index"
       },
       "dest":{
          "index":"my-destination-index"
       }
    }
    

    For example:

    POST /_reindex
    {
       "source":{
          "index":"wazuh-alerts-*"
       },
       "dest":{
          "index":"example-alerts"
       }
    }
    
    {
      "took": 23655,
      "timed_out": false,
      "total": 26849,
      "updated": 0,
      "created": 26849,
      "deleted": 0,
      "batches": 27,
      "version_conflicts": 0,
      "noops": 0,
      "retries": {
        "bulk": 0,
        "search": 0
      },
      "throttled_millis": 0,
      "requests_per_second": -1,
      "throttled_until_millis": 0,
      "failures": []
    }
    

Command line interface

Run the following command on any ThreatLockDown central component that is allowed to authenticate to the ThreatLockDown API. Replace <INDEXER_USERNAME> and <INDEXER_PASSWORD> with the indexer username and password:

curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
   "source":{
      "index":"my-source-index"
   },
   "dest":{
      "index":"my-destination-index"
   }
}'

For example:

curl -k -u "INDEXER_USERNAME:INDEXER_PASSWORD" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
   "source":{
      "index":"wazuh-alerts-*"
   },
   "dest":{
      "index":"example-alerts"
   }
}'
{"took":18025,"timed_out":false,"total":26854,"updated":26854,"created":0,"deleted":0,"batches":27,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1.0,"throttled_until_millis":0,"failures":[]}