Splunk SOAR (f.k.a. Phantom)

How can I check on PG side what is consuming more space in the database?

victor_menezes
Path Finder

Hi guys,

I'm trying to isolate what is being responsible for most of the data size on phantom. My data/db/base folder is huge and it keeps growing even though the logging level is really low and the vault is not something that I often use.

/opt/phantom/data]$ du -hsx * | sort -rh | head -10 | grep db
2.6T db

Is there any way for me to query and see what is consuming much space and maybe delete some old stuff?

I know that Phantom has those scripts to remove containers and etc but I personally don't think containers are the bad guys in this context, and the way it is I don't have like double the space available to do a Vacuum if I delete them all.

Thanks!

Tags (5)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@victor_menezes there are lots of things that can cause the DB to be large, usually action_run/playbook_run/artifact/audit tables are very large.

First, you should setup data retention policies if not done already (docs link) as this should keep the database trimmed. 

I have seen DBs of similar and larger sizes for heavily used installations. What's your setup and how any events do you currently have on the platform?

The only other way would be to interact with the DB to trim tables but ofcourse I would 100% recommend engaging with support before deviating from established ways to manage DB capacity. 

 

-- Hope this helps! If so please mark as a solution! Happy SOARing! --

paulcurry
Path Finder

Would ingestion summary help?  I haven't used Phantom in a long time so I may be totally off base.

System Health > Ingestion Summary.

0 Karma

victor_menezes
Path Finder

Not really. That's just an overall count of ingested events.

I'm looking more at the DB level because I suspect that there is something "stuck" in DB side, so something like table sizes and etc.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...