CB Response: How To Purge CbEvent (Process) Data in 5.x
search cancel

CB Response: How To Purge CbEvent (Process) Data in 5.x

book

Article ID: 290303

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to purge event process data from the Solr database in CB Response 5.x

Environment

  • CB Response Server: 5.x

Resolution

$#%  Services need to be running in order for this command to work. You can run this command for a minute to free enough space for services to start: How To Purge Storefile (Modulestore Binary) Data​ $#% 
  1. Determine MaxEventStoreDays setting in /etc/cb/cb.conf as a starting point to purge
grep MaxEventStoreDays /etc/cb/cb.conf
 
  1. Determine the cbevent shards (ProcSolrShards) that are present on the local server
cat /etc/cb/cbcluster.conf
  1. Run the following command, replacing XX with MaxEventStoreDays and SHARD with any shards that are present on the local server. If additional space needs to be recovered, reduce this purge time. This query selects all data older than XX days and deletes it. This command may take a while to complete. Solr will return a response when the purge is done
curl http://127.0.0.1:8080/solr/SHARD/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>last_server_update:[* TO NOW-XXDAYS]</query></delete>"

 

Additional Information

Please open a support case if Solr is taking over an hour to return
Powered by Wolken Software