Re-indexing
When changes are made to the data schema, it becomes necessary to re-index data to reflect these changes. Existing data may not match the updated schema without re-indexing, leading to data inconsistencies or errors during queries. Re-indexing lets you copy all or a subset of your data from a source index into a destination index.
To re-index an existing index, perform the following steps on either the Wazuh dashboard or the Wazuh server.
Wazuh dashboard
Click on the upper left menu ☰ and go to Indexer management > Dev Tools.
Enter the following API call, replacing
my-source-index
with the source index pattern andmy-destination-index
with the destination index pattern.POST /_reindex { "source":{ "index":"my-source-index" }, "dest":{ "index":"my-destination-index" } }
For example:
POST /_reindex { "source":{ "index":"wazuh-alerts-*" }, "dest":{ "index":"example-alerts" } }
{ "took": 23655, "timed_out": false, "total": 26849, "updated": 0, "created": 26849, "deleted": 0, "batches": 27, "version_conflicts": 0, "noops": 0, "retries": { "bulk": 0, "search": 0 }, "throttled_millis": 0, "requests_per_second": -1, "throttled_until_millis": 0, "failures": [] }
Command line interface
Run the following command on any Wazuh central component that is allowed to authenticate to the Wazuh API. Replace <INDEXER_USERNAME>
and <INDEXER_PASSWORD>
with the indexer username and password:
curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
"source":{
"index":"my-source-index"
},
"dest":{
"index":"my-destination-index"
}
}'
For example:
curl -k -u "INDEXER_USERNAME:INDEXER_PASSWORD" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
"source":{
"index":"wazuh-alerts-*"
},
"dest":{
"index":"example-alerts"
}
}'
{"took":18025,"timed_out":false,"total":26854,"updated":26854,"created":0,"deleted":0,"batches":27,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1.0,"throttled_until_millis":0,"failures":[]}