Highlighted
raviv1 Super Contributor.
Super Contributor.
881 views

How to truncate the case table

Hello All,

How can we truncate the case table?

We have configured a test rule, which has created many cases and it is impacting the performance.

How can we detele all the cases? ESM is not able to load the cases in channel, so we are not able to delete from there.

Labels (2)
Tags (3)
0 Likes
4 Replies
David Bau Outstanding Contributor.
Outstanding Contributor.

Re: How to truncate the case table

Hello Raviv

Unfortunately its almost impossible to delete bulk cases from the manager since it takes an unreasonable amount of time

So you can delete directly from the resources table (be sure to do this very carefully and even get a system tables backup prior to doing so)

All Arcsight resources id's of the same type start with the same character for example all rules start with "j" (just an example again) so find the first character for cases , lets say in our example its "3" 

from /opt/arcsight/logger/current/arcsight/bin/

run

"mysql –u arcsight –p"

Login with the corr user password

run

"use arcsight"

run

delete from arc_resource where ID LIKE '3%';

 

Good luck

David

0 Likes
pacote Trusted Contributor.
Trusted Contributor.

Re: How to truncate the case table

arc.resource resource_type=3 is for registered devices in the ESM (connectors, forwarding/super connectors, logger forwarders).

resource_type=7 is for Cases.  Here are some queries that should help - and yes, back up the database before anything.

select count(*) from arc_resource where resource_type=7 and name like '%your test data identifier%';

select name, created from arc_resource where resource_type=7 and name like '%your test data identifier%" into outfile '/opt/arcsight/test_case_data.csv';

delete from arc_resource where resouce_type=7 and name like '%your test data identifier%'; 

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: How to truncate the case table

If I were to want to delete all cases for a specific user could I use the arc_resource table for this?  I would like to expand on this query: select * from arc_resource where resource_type like '7%'.  I would need to add to that some identifier for the user, but not sure what it would be.

0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: How to truncate the case table

You can use the ESM API to delete cases.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.