Splunk® Phantom Remote Search

Splunk Phantom Remote Search

Download manual as PDF

Download topic as PDF

Reindex data to make newly added information searchable

There are some situations where data coming in to Splunk Phantom can't be indexed, and therefore can't be searched. You can reindex information sections to make this information searchable.

Below are some situations that require you to reindex your data:

  • The embedded Splunk Enterprise or external Splunk Enterprise or Splunk Cloud deployment was offline or unreachable.
  • Upgrading Splunk Phantom from a version earlier than 4.0.
  • Converting from a single Splunk Phantom instance to a cluster.
  • Changing your search setting configuration, such as switching from using the embedded Splunk Enterprise to an external Splunk Enterprise or Splunk Cloud instance.

Each section in the Section to Reindex drop-down list represents multiple database tables or information stores. For example, the Action index contains results for both action runs and app runs. The Playbook index covers both playbooks and custom lists.

To reindex your data, perform the following tasks in Splunk Phantom:

  1. From the main menu, select Administration.
  2. Click Administration Settings.
  3. Click Search Settings.
  4. In the Reindex Search Data section, select an information section from the Section to Reindex drop-down list.
  5. Click Reindex.

Reindexing is resource intensive and can impact system performance. Large data sets may take some time to reindex.

Last modified on 16 January, 2020
PREVIOUS
Connect to a distributed Splunk platform deployment
 

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters