Some Closed Incidents are not purged during scheduled maintnance

book

Article ID: 156640

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Some Incidents cannot be purged

You may see errors similar to this in the db2diag.nfy log file:

WARN  com.symantec.sim.simdb.job.BaseHealthJob - incident - Caught exception
during doHealth for table SYMCMGMT.SYMC_SIM_EVENT
org.springframework.jdbc.UncategorizedSQLException: CallableStatementCallback;
uncategorized SQLException for SQL [{call SYSPROC.ADMIN_CMD(?)}]; SQL state
[01H52]; error code [-2219]; DB2 SQL error: SQLCODE: -2219, SQLSTATE: 01H52,
SQLERRMC: SYMCMGMT.SYMC_SIM_EVENT;9; nested exception is
com.ibm.db2.jcc.a.SqlException: DB2 SQL error: SQLCODE: -2219, SQLSTATE: 01H52,
SQLERRMC: SYMCMGMT.SYMC_SIM_EVENT;9
 

Cause

When you look at the details of the closed incidents or closed merged incident there are Created:, Modified:, and Closed: dates.  The incident that cannot be purged will have a blank Closed date. This is because the incident has null value in the CLOSED_TIME field. 

Resolution

The following command will allow you to put a date in the CLOSED_TIME field.

  1. From the command line, login as db2admin
     
  2. Connect to database executing following command:

     db2 connect to sesa
     
  3. Execute the following command to update the table

    db2 "UPDATE SYMCMGMT.SYMC_SIM_INCIDENT SET CLOSED_TIME = '2012-06-13-09.59.42.370000' where STATE = 3 and CLOSED_TIME IS NULL"


In the above command, given CLOSED_TIME is just an example for showing input format of date (yyyy-mm-dd-hh.mm.ss.mmmmmm), you can put any date depending on how you are purging.  For example if you have SSIM set to purge closed incidents after 30 days make sure the date is 31 previous to the current date.  The incidents should be purged at the next maintenance cycle.