Re-Indexing

When changing mappings or index settings, we may need to re-index the existing indices to ensure there are no mapping conflicts.

One way to do this by using the following experimental example script:

https://raw.githubusercontent.com/weslambert/securityonion-elastic-misc/master/so-elastic-reindex

Pull down the script to your Security Onion box:

wget https://raw.githubusercontent.com/weslambert/securityonion-elastic-misc/master/so-elastic-reindex

Make the script executable:

sudo chmod +x so-elastic-reindex

Re-index all indices matching logstash-*, pulling the appropriate refresh_interval from the template named logstash in Elasticsearch:

sudo ./so-elastic-reindex -i "logstash-*" -t "logstash"

The script should then progress to re-index the matching indices, and inform you when it has completed.

Warning

Abnormal execution of this script may result in data loss– there are NO GUARANTEES this process will work perfectly for you.