Solved: Containers still there after running delete_contai...

victor_menezes · ‎11-09-2022

Hi guys,

Phantom 4.10.7, I tried to delete containers older than 6 months via delete_containers.pyc and it confirmed counts of affected containers, artifacts and run records as expected, but after confirming the deletion and waiting for a few seconds until the command was done, I can still see the containers via UI.

If I rerun the delete_containers command again with the same parameters, it says there is nothing there to be deleted.

Anyone has any idea of what is going on? I need to housekeep the environment due to the surge of disk usage and there is no better way IMO as this one. Any suggestions are highly appreciated

victor_menezes · ‎12-01-2022

Found the solution here in this thread:

https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/What-is-the-proper-way-to-purge-SOAR-conta...

In a nutshell, delete_containers and delete_indicator scripts just "hide" them for visibility, but don't actually physically remove the space allocated to them in the database, so after deleting it you need to manually log into the database and run a VACCUM FULL in the affected table.

View solution in original post

victor_menezes · ‎12-01-2022

Found the solution here in this thread:

https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/What-is-the-proper-way-to-purge-SOAR-conta...

In a nutshell, delete_containers and delete_indicator scripts just "hide" them for visibility, but don't actually physically remove the space allocated to them in the database, so after deleting it you need to manually log into the database and run a VACCUM FULL in the affected table.

Containers still there after running delete_containers.pyc?

administration

configuration

other

troubleshooting

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud