Looking at OI we have 1.5 million alarms for a tenant. If we change the start date in OI to one month ago, we have almost 17 million alarms.  We need to delete older alarms. How can we delete the older alarms in OI? We are using on premise OI.

Release : 20.2

Component : CA DOI ALARM ANALYTICS

Please review the following TechDoc, and try to test with one or two alarms, and see if this is working for you.

If this works for you then we can build a query to delete more alarms.

TechDoc: https://knowledge.broadcom.com/external/article/204085

It is possible to delete alarms by other fields.

Here is example of query which search for alarms for a host:

POST {Elastic-Endpoint}/ao_itoa_alarms_all_1*/_search

{
    "query": {
        "bool": {
            "must": [
               {
                   "match": {
                      "doc_type_id": "itoa_alarms_apm"
                   }
               },
               {
                           "match": {
                            "host": "CDSFestHFDJDHF034ger8"
                           }
        },
           {
                           "match": {
                              "status": "CLOSED"
                           }
        },                       
               {
                   "match": {
                      "@tenant_id": "<tenant ID>"
                   }
               }
            ]
        }
    }
}

This lists number of alarms specific for the host and in closed status.

Next, we can use the delete query to delete above alarms.

POST {Elastic-Endpoint}/ao_itoa_alarms_all_1*/_delete_by_query

We would suggest deleting small number of alarms to see if we get the expected results.

Also, we would suggest to do the tests in NON PROD first before moving to PROD.