Splunk SOAR (f.k.a. Phantom)

Containers still there after running delete_containers.pyc?

victor_menezes
Path Finder

Hi guys,

 

Phantom 4.10.7, I tried to delete containers older than 6 months via delete_containers.pyc and it confirmed counts of affected containers, artifacts and run records as expected, but after confirming the deletion and waiting for a few seconds until the command was done, I can still see the containers via UI.

If I rerun the delete_containers command again with the same parameters, it says there is nothing there to be deleted.

Anyone has any idea of what is going on? I need to housekeep the environment due to the surge of disk usage and there is no better way IMO as this one. Any suggestions are highly appreciated

0 Karma
1 Solution

victor_menezes
Path Finder

Found the solution here in this thread:

https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/What-is-the-proper-way-to-purge-SOAR-conta...

In a nutshell, delete_containers and delete_indicator scripts just "hide" them for visibility, but don't actually physically remove the space allocated to them in the database, so after deleting it you need to manually log into the database and run a VACCUM FULL in the affected table.

View solution in original post

0 Karma

victor_menezes
Path Finder

Found the solution here in this thread:

https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/What-is-the-proper-way-to-purge-SOAR-conta...

In a nutshell, delete_containers and delete_indicator scripts just "hide" them for visibility, but don't actually physically remove the space allocated to them in the database, so after deleting it you need to manually log into the database and run a VACCUM FULL in the affected table.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...