Tune performance by managing features
An administrator can tune performance of their deployment by toggling the Indicators feature or removing audit logs from the deployment after they have been downloaded.
Enable or disable the indicators feature
Prior to 4.8, retrieval of indicator records did not scale in some large deployments with hundreds of thousands of indicator records. Improvements have been made to enhance performance, but some administrators may wish to disable the feature entirely.
An administrator can toggle the Indicators feature of by running a script from the *nix shell command line.
Disabling the Indicators feature removes it from the Main Menu, from the events page, and from context menus in the investigations page.
When indicators are disabled, the indicator REST APIs return response 400, with the message body:
{ "failed": true, "message": "The indicators feature is not enabled." }
Affected APIs
- /rest/indicator
- /rest/indicator_by_value
- /rest/indicator_artifact
- /rest/indicator_artifact_timeline
- /rest/indicator_stats_indicator_count
- /rest/indicator_stats_top_labels
- /rest/indicator_stats_top_types
- /rest/indicator_stats_top_values
- /rest/ioc
- /rest/indicator_common_container
See REST Indicators.
Toggle the Indicators feature
To disable Indicators:
- SSH to your instance.
SSH <username>@<phantom_hostname> - Run the set_preference command.
phenv set_preference --indicators no
To enable Indicators:
- SSH to your instance.
SSH <username>@<phantom_hostname> - Run the set_preference command.
phenv set_preference --indicators yes
It can take as much as five minutes for the indicators feature to be hidden or to show from the Splunk Phantom UI after the set_preference command has been run.
Delete audit logs
Downloading Audit logs could take a long time because all the records were loaded into memory before being written to a file. In version 4.8, audit logs have been changed to stream records to a file.
An administrator can remove audit logs after they have been manually downloaded and archived by using the delete_audit_logs.pyc script found in /<PHANTOM_HOME>/phantom/bin
.
This script will permanently delete audit records from Splunk Phantom. The records cannot be recovered without restoring Splunk Phantom from a backup. Exercise caution when using this script.
delete_audit_logs.pyc arguments
# phenv python delete_audit_logs.pyc-h usage: delete_audit_logs.py [-h] [--before BEFORE_TIMESTAMP] [--after AFTER_TIMESTAMP] [--categories [CATEGORIES [CATEGORIES ...]]] [--dry-run] [--non-interactive] [--log-level {NOTSET,DEBUG,INFO,WARNING,ERROR,CRITICAL}]
Argument | Description |
---|---|
-h, --help | Show this help message and exit. |
--before <BEFORE_TIMESTAMP> | Records created before this timestamp will be deleted.
Records created after this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format. |
--after <AFTER_TIMESTAMP> | Records created after this timestamp will be deleted.
Records created before this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format. |
--categories [CATEGORIES [CATEGORIES ...]] | Only delete records with the given categories.
Examples of categories: user, container, playbook, administration, artifact. |
--dry-run | Do not run the DELETE queries. Use this argument to test your parameters before running the script for real. |
--non-interactive | Do not block on user input. This flag is suitable for running as part of an unsupervised script. |
--log-level {NOTSET, DEBUG, INFO, WARNING, ERROR, CRITICAL} | Set the log level. Default level is WARNING. |
Examples
Test script parameters by using the --dry-run
option first.
Delete all audit logs from before July 2019:
Delete audit logs between July 1 and December 1 2019:
Define tasks using workbooks | Use data retention strategies to schedule and manage your database cleanup |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!