Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Delete containers from your Splunk SOAR (On-premises) deployment

Use the delete_containers.pyc script to remove containers from their Splunk SOAR (On-premises) deployment. Removing containers should only be done in compliance with your organization's legal and policy requirements for data retention.

Removing containers cannot be undone. The only way to recover containers is to restore your Splunk SOAR (On-premises) deployment from a backup.

Example: To delete all containers with the "test" label last updated before January 1, 2020 at 12:00:00 UTC:

phenv python /opt/phantom/bin/delete_containers.pyc --label test --before "2020-01-01T12:00:00Z"

Delete containers script arguments and record filters

Use these arguments for the delete_containers.pyc script to apply controls to the script.

Argument Description
-h, --help Show this help message and exit the script.
-b, --list-labels List the available container labels and exit the script.
-d, --dry-run Do not delete any containers, just show the results from the command. Use this option to test your command input before executing the script.
--non-interactive Do not block script execution for user input. Use this flag for running delete_containers.pyc as part of an unsupervised script.
-c <number of containers to delete>,
--chunk-size <number of containers to delete>
Maximum number of containers to delete in a single transaction. Maximum value is 10,000. Example:
-c 100
--max-retry-count <MAX_RETRY_COUNT>
Maximum number of retries in case there is an error.

Use these filters for the delete_containers.pyc script to control on which containers the script deletes.

Filter Description
-i <IDS>, --ids <IDS> Delete the container IDs specified in a comma separated list.
-l <LABEL>, --label <LABEL> Only delete containers with the specified label.
-m <string>, --matching <string> Delete containers that title match the specified string. The match is not case sensitive.
--before <date/time> Only delete containers last updated before this date/time. Example:
--before "2020-01-01T12:00:00Z"
--after <date/time> Only delete containers last updated after this date/time. Example:
--after "2020-01-01T12:00:00Z"
--status <STATUS> Only delete containers the status values specified in a comma separated list.
Last modified on 21 June, 2022
Reset the admin and root passwords in
Enable clickable URLs in CEF data

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1, 5.1.0, 5.2.1, 5.3.1, 5.3.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters