Splunk SOAR

Containers still there after running delete_containers.pyc?

victor_menezes
Path Finder

Hi guys,

 

Phantom 4.10.7, I tried to delete containers older than 6 months via delete_containers.pyc and it confirmed counts of affected containers, artifacts and run records as expected, but after confirming the deletion and waiting for a few seconds until the command was done, I can still see the containers via UI.

If I rerun the delete_containers command again with the same parameters, it says there is nothing there to be deleted.

Anyone has any idea of what is going on? I need to housekeep the environment due to the surge of disk usage and there is no better way IMO as this one. Any suggestions are highly appreciated

0 Karma
1 Solution

victor_menezes
Path Finder

Found the solution here in this thread:

https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/What-is-the-proper-way-to-purge-SOAR-conta...

In a nutshell, delete_containers and delete_indicator scripts just "hide" them for visibility, but don't actually physically remove the space allocated to them in the database, so after deleting it you need to manually log into the database and run a VACCUM FULL in the affected table.

View solution in original post

0 Karma

victor_menezes
Path Finder

Found the solution here in this thread:

https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/What-is-the-proper-way-to-purge-SOAR-conta...

In a nutshell, delete_containers and delete_indicator scripts just "hide" them for visibility, but don't actually physically remove the space allocated to them in the database, so after deleting it you need to manually log into the database and run a VACCUM FULL in the affected table.

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...