Use data retention strategies to schedule and manage your database cleanup
Use the data retention tool configure_db_maintenance.py as a single tool for setting scheduled and automatic deletion of unused or outdated data from the PostgreSQL database. This tool works with all models: containers, indicators, audit logs, device profiles for mobile registration, notifications, and playbook run records.
- Model
- Any item that is a record in the PostgreSQL database. A model is defined by a set of characteristics that determine what kind of information the record represents. For example, a container is a model for data retention strategies.
- Strategy
- The configurable parameters that define when a record should be deleted when the tool is run, or to define when records should be deleted automatically.
To use the configure_db_maintenance.py tool, follow these steps:
- SSH to your instance.
SSH <username>@<phantom_hostname> - Use the following tool to manage data deletion based on your installation.
- For an unprivileged installation, use this command:
phenv python /opt/phantom/www/manage.py configure_db_maintenance - For a privileged installation, use this command:
sudo phenv python /opt/phantom/www/manage.py configure_db_maintenance
- For an unprivileged installation, use this command:
- Append your desired argument to the data retention tool command line to schedule, list, enable, or disable data retention actions.
On clustered systems, the configure_db_maintenance.py tool can be run from any node, but only the leader node runs the data retention strategy.
Data retention tool arguments
Append the --help argument to your tool to get information on the data retention tool arguments;
Optional arguments
Use these optional arguments to manage your data retention strategy.
| Argument | Description |
|---|---|
| -h, --help | Show this help message and exit. |
| --schedule | Schedule data retention to execution schedule. |
| --cron-schedule CRON_SCHEDULE | How often to query Data Retention Schedule. Must be a cron schedule expression. |
| --list | List strategies in data retention strategy. |
| --target-model TARGET_MODEL, -m TARGET_MODEL | Name of model to run action on. |
| -v {0,1,2,3}, --verbosity {0,1,2,3} | Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output. |
You must specify the target model to add, delete, enable, or disable a model.
Add a model to your data retention strategy
The following arguments are required to successfully add a model to the data retention strategy.
| Argument | Description |
|---|---|
| --add | Add a model strategy to the data retention strategy. You must supply the following sub-arguments:
|
| --age-to-keep-time-unit {hours,days,months,years}, -u {hours,days,months,years} | Unit of time. |
| --max-age-to-keep MAX_AGE_TO_KEEP, -a MAX_AGE_TO_KEEP | How many units of time to keep model. |
| --disabled | Disable the strategy on creation. |
If you add a data retention strategy for a model that already has one, the new strategy replaces the existing strategy.
Edit a model's entry in your data retention strategy
The following arguments are required to edit a model in the data retention strategy.
| Argument | Description |
|---|---|
| --delete | Delete a model strategy from the data retention strategy. You must supply the -m argument with the name of the model to delete.
|
| --enable | Enable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to enable.
|
| --disable | Disable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to disable.
|
Examples
Delete indicator records after three months:
Change the schedule on which configure_db_maintenance runs:
| Tune performance by managing features | Create custom status labels in Splunk Phantom |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Download manual
Feedback submitted, thanks!