Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Delete containers from your Splunk SOAR (On-premises) deployment

Use the delete_containers.pyc script to remove containers from their Splunk SOAR (On-premises) deployment. Removing containers should only be done in compliance with your organization's legal and policy requirements for data retention.

Removing containers cannot be undone. The only way to recover containers is to restore your Splunk SOAR (On-premises) deployment from a backup.

Example: To delete all containers with the "test" label last updated before January 1, 2020 at 12:00:00 UTC:

phenv python /opt/phantom/bin/delete_containers.pyc --label test --before "2020-01-01T12:00:00Z"

Delete containers script arguments and record filters

Use these arguments for the delete_containers.pyc script to apply controls to the script.

Argument Description
-h, --help Show this help message and exit the script.
-b, --list-labels List the available container labels and exit the script.
-d, --dry-run Do not delete any containers, just show the results from the command. Use this option to test your command input before executing the script.
--non-interactive Do not block script execution for user input. Use this flag for running delete_containers.pyc as part of an unsupervised script.
-c <number of containers to delete>,
--chunk-size <number of containers to delete> 		Maximum number of containers to delete in a single transaction. Maximum value is 10,000. Example:
-c 100
-r <MAX_RETRY_COUNT>,
--max-retry-count <MAX_RETRY_COUNT> 		Maximum number of retries in case there is an error.

Use these filters for the delete_containers.pyc script to control on which containers the script deletes.

Filter Description
-i <IDS>, --ids <IDS> Delete the container IDs specified in a comma separated list.
-l <LABEL>, --label <LABEL> Only delete containers with the specified label.
-m <string>, --matching <string> Delete containers that title match the specified string. The match is not case sensitive.
--before <date/time> Only delete containers last updated before this date/time. Example:
--before "2020-01-01T12:00:00Z"
--after <date/time> Only delete containers last updated after this date/time. Example:
--after "2020-01-01T12:00:00Z"
--status <STATUS> Only delete containers the status values specified in a comma separated list.
Last modified on 11 October, 2023
Reset the admin and root passwords in   Enable clickable URLs in CEF data

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1, 5.1.0, 5.2.1, 5.3.1, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters