Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Delete containers from your Splunk SOAR (On-premises) deployment

Use a management command to remove containers from their Splunk SOAR (On-premises) deployment. Removing containers should only be done in compliance with your organization's legal and policy requirements for data retention.

Removing containers cannot be undone. The only way to recover containers is to restore your Splunk SOAR (On-premises) deployment from a backup.

Example: To delete all containers with the "test" label last updated before January 1, 2020 at 12:00:00 UTC:

phenv delete_containers --label test --before "2020-01-01T12:00:00Z"

Delete containers command arguments and record filters

Use these arguments to control the behavior of the delete_containers command.

Argument Description
-h, --help Show this help message and exit the command.
--list-labels List the available container labels and exit.
--dry-run Do not delete any containers, just show the results from the command. Use this option to test your command input before running the command.
--no-prompt Do not block command execution for user input. Use this flag for running delete_containers as part of an unsupervised script.
-c <number of containers to delete>,
--chunk-size <number of containers to delete> 		Maximum number of containers to delete in a single transaction. If containers have large numbers of related records, such as related artifacts, smaller chunk sizes may provide better performance, especially if running the command transactionally.
--transactional Set this option to run the entire delete operation atomically.

The delete operation may take a very long time, depending on how many containers your system has. Do not run transactionally if you want to be able to easily be able to pause and restart the deletion process.

Use these filters to control which containers are deleted.

Filter Description
--ids <IDS> Delete the container IDs specified in a space-separated list.
--label <LABEL> Only delete containers with the specified label.
--matching <MATCHING> Delete the containers with a matching title. Use a string. This string is not case sensitive.
--before <timestamp> Only delete containers created before this timestamp. Value can be in various formats including <yyyy-mm-dd>T<hh:mm:ss>Z or <yyyy-mm-dd>T<hh:mm>Z.
Example:
--before "2020-01-01T12:00:00Z"
--after <timestamp> Only delete containers created after this timestamp. Value can be in various formats including <yyyy-mm-dd>T<hh:mm:ss>Z or <yyyy-mm-dd>T<hh:mm>Z.
Example:
--before "2020-01-01T12:00:00Z"
--status <STATUS> Only delete containers with the status values specified in a space-separated list.
Last modified on 27 November, 2023
Reset the admin and root passwords in   Enable clickable URLs in CEF data

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0, 6.2.1, 6.2.2, 6.3.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters