Re-indexingPermalink to this headline
When changes are made to the data schema, it becomes necessary to re-index data to reflect these changes. Existing data may not match the updated schema without re-indexing, leading to data inconsistencies or errors during queries. Re-indexing lets you copy all or a subset of your data from a source index into a destination index.
To re-index an existing index, perform the following steps on either the ThreatLockDown dashboard or the ThreatLockDown server.
ThreatLockDown dashboardPermalink to this headline
Click on the upper left menu ☰ and go to Indexer/dashboard management > Dev Tools.
Enter the following API call, replacing
my-source-index
with the source index pattern andmy-destination-index
with the destination index pattern.POST /_reindex { "source":{ "index":"my-source-index" }, "dest":{ "index":"my-destination-index" } }
For example:
POST /_reindex { "source":{ "index":"wazuh-alerts-*" }, "dest":{ "index":"example-alerts" } }
Command line interfacePermalink to this headline
Run the following command on any ThreatLockDown central component that is allowed to authenticate to the ThreatLockDown API. Replace <INDEXER_USERNAME>
and <INDEXER_PASSWORD>
with the indexer username and password:
curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
"source":{
"index":"my-source-index"
},
"dest":{
"index":"my-destination-index"
}
}'
For example:
curl -k -u "INDEXER_USERNAME:INDEXER_PASSWORD" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
"source":{
"index":"wazuh-alerts-*"
},
"dest":{
"index":"example-alerts"
}
}'