All event data partitions in the system need to be indexed so that they become searchable. After upgrading Sentinel (from prior to 8.3.1.0 version), if the partitions are not re-indexed, then the existing event data will not be available for Sentinel operations. Because of this, results of search, report, historical views, or other jobs will be inconsistent.
For example, for reports that have information for the past three months, the event data for that period must be re-indexed, before starting report jobs. Else, the generated reports might not be accurate
After upgrading Sentinel, re-indexing is required only for the existing (old) event data partitions and not for the new incoming events.
Re-indexing event data is different from event data restoration. Re-indexing is a process of recreating event data partition indexes, which is needed because of underlying indexing library upgrades, whereas event data restoration restores data from other systems.
The Event Data Partition page displays a pie chart, which indicates the number, percentage, and size of partitions that were indexed or need to be indexed, across both primary and secondary storage. You can either select all the data or select data for a date range to re-index.
You can re-index event data partition either through the web interface (online) or through a offline tool, which enables re-indexing in the offline mode. You can re-index event data partitions by using both methods simultaneously.