How to flush the search cache in extractor and delete all artifacts in Security Analytics

book

Article ID: 168249

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Resolution

1. Find the job id that you want to delete.

echo 'select * from artifact_searches order by id desc;'| su - postgres -c 'psql dsweb'

2. Look for the the value of of the path that you were using.  You will want the extractor value for that search. The extractor value can also be found with: 

echo 'select extractor from artifact_searches order by id desc;'| su - postgres -c 'psql dsweb'

3. Now use the following commands to clean the session out.

rm -rf / home/apache/artifacts/[previous extractor value here]

echo 'delete from extractions where session_id = [previous extractor value here]' | su - postgres -c 'psql dsweb'

echo 'delete from artifacts where session_id = [previous extractor value here]' | su - postgres -c 'psql dsweb'

echo 'delete from artifact_searches where extractor = '[session_id]'' | su - postgres -c 'psql dsweb'


If you want to also delete all records of artifact extractions as well as delete all extracted files in the file system you can do the following:

1. Delete the on-disk artifacts: rm -rf /home/apache/artifacts/*

2. Delete the meta_info via psql: echo 'truncate meta_info' | su - postgres -c 'psql dsweb'

3) Delete the artifacts via psql: echo 'truncate artifacts' | su - postgres -c 'psql dsweb'

4) Delete the artifact_searches via psql: echo 'truncate artifact_searches' | su - postgres -c 'psql dsweb'