Splunk® App for SOAR

Install and Configure Splunk App for SOAR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Reindex data

There are some situations where data coming in to Splunk SOAR can't be indexed and, as a result, can't be searched. In such cases, you can reindex information sections to make this information searchable.

If you are using Splunk SOAR version 6.2.0 or later, reindexing will send all your SOAR data to your Splunk Enterprise or Splunk Cloud Platform deployment again, which can result in duplicated data. To prevent duplicates, make sure to delete existing objects from all forwarder groups before reindexing. See How indexing works in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Here are some situations that require you to reindex your data:

  • The embedded Splunk Enterprise or external Splunk Enterprise or Splunk Cloud Platform deployment was offline or unreachable.
  • Upgrading Splunk Phantom from a version earlier than 4.0.
  • Converting from a single Splunk SOAR instance to a cluster.
  • Changing your search setting configuration, such as switching from using the embedded Splunk Enterprise to an external Splunk Enterprise or Splunk Cloud Platform instance.

Each option in the Section to Reindex drop-down list represents multiple database tables or information stores. For example, the Action index contains results for both action runs and app runs. The Playbook index covers both playbooks and custom lists.

To reindex your data, perform the following tasks in Splunk SOAR:

  1. From the main menu, select Administration.
  2. Select Administration Settings.
  3. Select Search Settings.
  4. In the Reindex Search Data section, select an information section from the Section to Reindex drop-down list.
  5. Select Reindex.

Reindexing is resource intensive and can impact system performance. Large data sets may take some time to reindex.

Last modified on 05 March, 2024
PREVIOUS
Set up the universal forwarder using Splunk SOAR version 6.2.x
  NEXT
Set up remote search on a standalone Splunk Enterprise instance

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.41, 1.0.57


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters