Re-indexing

ThreatLockDown dashboard

1. Click on the upper left menu ☰ and go to Indexer/dashboard management > Dev Tools.

2. Enter the following API call, replacing my-source-index with the source index pattern and my-destination-index with the destination index pattern.

   POST /_reindex
   {
      "source":{
         "index":"my-source-index"
      },
      "dest":{
         "index":"my-destination-index"
      }
   }
   

   For example:

   POST /_reindex
   {
      "source":{
         "index":"wazuh-alerts-*"
      },
      "dest":{
         "index":"example-alerts"
      }
   }
   

   {
     "took": 23655,
     "timed_out": false,
     "total": 26849,
     "updated": 0,
     "created": 26849,
     "deleted": 0,
     "batches": 27,
     "version_conflicts": 0,
     "noops": 0,
     "retries": {
       "bulk": 0,
       "search": 0
     },
     "throttled_millis": 0,
     "requests_per_second": -1,
     "throttled_until_millis": 0,
     "failures": []
   }
   

Command line interface

Run the following command on any ThreatLockDown central component that is allowed to authenticate to the ThreatLockDown API. Replace <INDEXER_USERNAME> and <INDEXER_PASSWORD> with the indexer username and password:

curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
   "source":{
      "index":"my-source-index"
   },
   "dest":{
      "index":"my-destination-index"
   }
}'

For example:

curl -k -u "INDEXER_USERNAME:INDEXER_PASSWORD" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
   "source":{
      "index":"wazuh-alerts-*"
   },
   "dest":{
      "index":"example-alerts"
   }
}'

{"took":18025,"timed_out":false,"total":26854,"updated":26854,"created":0,"deleted":0,"batches":27,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1.0,"throttled_until_millis":0,"failures":[]}